Analyzing suricata alert detection performance issues based on active indicator of compromise rules

Many studies have been related to the Intrusion Detection System (IDS) performance analysis. Still, most focus on inspection performance on high-capacity networks with packet drop percentage as a performance parameter. Few studies are related to performance analysis in the form of detection accuracy based on the number of rules activated. This research will analyze the performance of IDS Suricata based on the number of active rules in the form of Indicator of Compromise (IoC), including IPRep, HTTP, DNS, MD5, and JA3. The analysis method focuses on the detection accuracy of varying the number of active rules up to 1 million, expressed in 5 scenarios. In scenarios 1 to 4, where IoC rules are tested separately, the reduction in detection accuracy performance starts to occur when the number of active rules is at 100,000 and continues to decrease when the number reaches 1 million. However, in scenario 5, where the IoC rules are tested together, the percentage of rules detection accuracy decreases when the number of active rules from each IoC is less than 10,000. The percentage decrease in detection accuracy performance in scenario five can occur with an average reduction of 19.64%. Even further in scenario 5, when the total number of rules reaches 1,000,000 or 200,000 from each IoC, IDS Suricata fails to detect all rules (detection percentage is 0%). This research show that the higher number of rules activated, the decrease in the Suricata IDS performance in terms of detection accuracy.