Don’t stress about a bit of stress testing #2

January 25, 2019 in Anti-*, EDR, Random ideas

Yesterday I tested 100K Run keys, today I test 100K Sysmon rules.

Sysmon is visibly struggling:

The CPU goes high, and the logs are not being added. I let it ran for a couple of minutes, but this state has not changed. No idea if it just takes that long to ingest so many rules? So… not sure if Sysmon has any upper limits for the number of rules, but I guess we can assume it is not 100K, but less. Why? I tried 1K, 10K, and 25K of identical rules and for these numbers sysmon worked pretty well. Once sysmon digested the rules the logs started appearing almost immediately.


It looks like 100K is definitely a killer number. After ~20 minutes the program bailed out stating that there is not enough memory:

The test was not very methodical, I used a bit of a naughty rule that was testing a presence of a long substring within a string representing an image of each created process. Assuming that sysmon has to test 1K, 10K, 25K, 100K rules on each process, it should affect the processing speed.

It’s obviously not a biggie, because one needs to modify config to disrupt the processing so much, but it is good to know that too many rules may not be a very healthy idea. Still, since a typical config won’t cross 1-5K rules it should work for you like a charm…

Comments are closed.