Non performant

[osennte]

Hello, I am afraid that this set of rules is not performing well. I tried the following command on a test VM with it:

time dd if=/dev/zero of=/dev/null bs=512 count=1000000

It took about 1.8s; however, when I inserted the following rule on top of the rule set, it took only about 0.4s:

-a never,exit -F arch=b64 -S read,write

Reason is probably that all system calls that are not handled in the rule set are checked against all syscall rules.
It thus might be useful to insert a rule on top that "ignores" all system calls that are not handled in the original rule set and that are often used.

[kovacs-andras]

Use only the bare minimum rules which are necessary for you. Do not apply a single one without understanding what it does.
Do not ignore all the system calls, ignore only those which you know are unnecessary.
Also keep in mind some of the rules won't and can't be triggered.
Load the rules manually and the errors will help a lot! :)

[kovacs-andras]

@Pierre-Gronau-ndaal any opinions?