Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Non performant #122

Open
osennte opened this issue Sep 5, 2023 · 2 comments
Open

Non performant #122

osennte opened this issue Sep 5, 2023 · 2 comments

Comments

@osennte
Copy link

osennte commented Sep 5, 2023

Hello, I am afraid that this set of rules is not performing well. I tried the following command on a test VM with it:

time dd if=/dev/zero of=/dev/null bs=512 count=1000000

It took about 1.8s; however, when I inserted the following rule on top of the rule set, it took only about 0.4s:

-a never,exit -F arch=b64 -S read,write

Reason is probably that all system calls that are not handled in the rule set are checked against all syscall rules.
It thus might be useful to insert a rule on top that "ignores" all system calls that are not handled in the original rule set and that are often used.
@kovacs-andras
Copy link
Contributor

Use only the bare minimum rules which are necessary for you. Do not apply a single one without understanding what it does.
Do not ignore all the system calls, ignore only those which you know are unnecessary.
Also keep in mind some of the rules won't and can't be triggered.
Load the rules manually and the errors will help a lot! :)

@kovacs-andras
Copy link
Contributor

@Pierre-Gronau-ndaal any opinions?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kovacs-andras @osennte