You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hey @qjerome as per my article it would be good to add unittests with mocks of the sysmon events that allow us to not only test that rules matches but also that are performant.
The text was updated successfully, but these errors were encountered:
Yes, I could write unit tests (I will think about how to do it easily) for any rule developed in order to test that rules match, however I don't think performance should be assessed through unit testing.
IMHO a realistic performance test should be ran on a running system with real events generated. If you measure performance through unit tests, you will have a performance test in the worst case scenario because only matching events will be tested (a matching event takes more time to process than a non-matching one). If you want to measure the maximum throughput of events that Gene (and WHIDS by extension) can process, you can use the -progress command line switch in gene command line. According to my tests, for a bunch of 100 rules ran on 60000 events collected on a running machine, the engine is able to process around 7000 events per second when ran on a single job (-job switch). This way we can assess the maximum throughput the tool can handle in a realistic scenario.
Hey @qjerome as per my article it would be good to add unittests with mocks of the sysmon events that allow us to not only test that rules matches but also that are performant.
The text was updated successfully, but these errors were encountered: