An engineer where I work did a deep dive into Zeek code and figured out using ranges in DPD signatures kicks off thousands of sigs instead of one. This bacnet repo in particular was pegging high CPU on some of our sensors, along with the ENIP analyzer. So the workaround that was suggested to me is what I put together in this merge request, using a greater than or equal to operator. I'm told this operator gets around this Zeek ineffciency.
This will provide the same logic as the user sees it, but it will make Zeek's CPU usage much happier.
π£ Description
An engineer where I work did a deep dive into Zeek code and figured out using ranges in DPD signatures kicks off thousands of sigs instead of one. This bacnet repo in particular was pegging high CPU on some of our sensors, along with the ENIP analyzer. So the workaround that was suggested to me is what I put together in this merge request, using a greater than or equal to operator. I'm told this operator gets around this Zeek ineffciency.
This will provide the same logic as the user sees it, but it will make Zeek's CPU usage much happier.
Here is the code where DPD ranges fall into, if you are curious: https://github.com/zeek/zeek/blob/master/src/rule-parse.y#L356
π Motivation and context
π§ͺ Testing
β Pre-approval checklist
β Pre-merge checklist
β Post-merge checklist