<div dir="ltr"><div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">I believe the documentation for the <span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">sgh-mpm-context config option may be incorrect or there is possibly an issue in the code surrounding the processing of this option.  I am not sure which it would be but I am guessing more likely a documentation issue.</span></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">The documentation for sgh-mpm-context at <a href="http://suricata.readthedocs.io/en/latest/performance/tuning-considerations.html#detect-sgh-mpm-context-auto-single-full">http://suricata.readthedocs.io/en/latest/performance/tuning-considerations.html#detect-sgh-mpm-context-auto-single-full</a> reads that "Auto selects between single and full based on the mpm-algo selected. ac and ac-bs use 'single'. All others 'full'."  This to me means that if the sgh-mpm-context value is set to auto while using Hyperscan for the mpm-algo, that the sgh-mpm-context should be full since hs is not ac or ac-bs.</div></div><div><br></div><div><div>In detect-engine.c in the sgh-mpm-context option parsing block that begins at <a href="https://github.com/OISF/suricata/blob/ffc847db01fbf81df8a647d7a794d99894e4939d/src/detect-engine.c#L1737">https://github.com/OISF/suricata/blob/ffc847db01fbf81df8a647d7a794d99894e4939d/src/detect-engine.c#L1737</a> the first if condition is satisfied when the sgh-mpm-context option is set to auto.  Nested inside of that if block is another if statement (line 1741) that, when evaluating to true, sets the sgh_mpm_context value to ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE (line 1746).  Notice that one of the OR conditions of this if statement on line 1743 has "de_ctx->mpm_matcher == MPM_HS ||", which does also have the requirement that BUILD_HYPERSCAN is defined but that should be the case when Suricata is compiled with Hyperscan support.</div></div><div><br></div><div>In case anyone is interested, the reason I started looking into this is that I noticed my test instance of Suricata took much longer (roughly 6 minutes) to fully start up when setting sgh-mpm-context to full over when it was set to auto.  I was using approximately 27K rules in this test case.  When I checked the documentation it appeared that since I was using Hyperscan in both cases that auto should actually be using full.</div><div><br></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Can anyone confirm that I am interpreting this accurately and if so whether or not this is just a documentation issue?</span><br></div><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span style="color:rgb(0,0,0);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;font-weight:bold;line-height:17.29px;white-space:nowrap">Eric Urban</span><br></div><div dir="ltr"><span style="color:rgb(0,0,0);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap">University Information Security | Office of Information Technology | </span><a href="http://it.umn.edu/" style="color:rgb(17,85,204);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap" target="_blank">it.umn.edu</a><br style="color:rgb(0,0,0);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap"><span style="color:rgb(0,0,0);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap">University of Minnesota | </span><a href="http://umn.edu/" style="color:rgb(17,85,204);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap" target="_blank">umn.edu</a><font face="verdana, sans-serif" style="color:rgb(136,136,136);font-size:12.8px"><br></font></div></div></div></div></div></div></div></div></div>
</div>