<div dir="ltr">Hello Peter,<div><br></div><div>I ran the test I mentioned on Suricata 3.1, 4.0.3, and 4.0.4. The 3.1 and 4.0.4 tests were on a VM while the 4.0.3 test was on a physical machine (40 cores, 128GB memory). </div><div><br></div><div>The cases where the difference in startup times were the most significant I also had detect.profile value set to high. </div><div><br></div><div>In my tests on the VMs, I was using the default config file (from running 'make install-full') and modified only:</div><div><ul><li>the HOME_NET value</li><li>enabled the http.log</li><li>changed rule-files to point to a different file with the 27K rules</li><li>set mpm-algo and spm-algo to hs</li><li>detect.profile to high</li><li>detect.sgh-mpm-context to full</li></ul></div><div><br></div><div>Also, please let me know if this discussion is better suited for Oisf-users. I felt the dev list was more appropriate since I was mostly asking if the docs were incorrect based on the code.</div><div><br></div><div><br></div><div>Finally, for reference here are some log excerpts showing the startup times when only making the changes I described above on a VM:</div><div><div>[vagrant@suricata4-vagrant ~]$ sudo suricata -vv -c /etc/suricata/suricata.yaml -i eth0 --init-errors-fatal </div><div>22/2/2018 -- 20:01:07 - <Notice> - This is Suricata version 4.0.4 RELEASE</div><div>22/2/2018 -- 20:01:07 - <Info> - CPUs/cores online: 1</div><div>...</div><div>22/2/2018 -- 20:01:24 - <Perf> - using unique mpm ctx' for file_data</div><div>22/2/2018 -- 20:01:24 - <Info> - 27425 signatures processed. 247 are IP-only rules, 12279 are inspecting packet payload, 18201 inspect application layer, 0 are decoder event only</div><div>22/2/2018 -- 20:01:25 - <Perf> - TCP toserver: 76 port groups, 71 unique SGH's, 5 copies</div><div>22/2/2018 -- 20:01:25 - <Perf> - TCP toclient: 76 port groups, 45 unique SGH's, 31 copies</div><div>22/2/2018 -- 20:01:25 - <Perf> - UDP toserver: 76 port groups, 43 unique SGH's, 33 copies</div><div>22/2/2018 -- 20:01:25 - <Perf> - UDP toclient: 17 port groups, 10 unique SGH's, 7 copies</div><div>22/2/2018 -- 20:01:25 - <Perf> - OTHER toserver: 254 proto groups, 4 unique SGH's, 250 copies</div><div>22/2/2018 -- 20:01:25 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies</div><div>22/2/2018 -- 20:09:00 - <Perf> - Unique rule groups: 173</div><div>22/2/2018 -- 20:09:00 - <Perf> - Builtin MPM "toserver TCP packet": 56</div><div>...</div><div>22/2/2018 -- 20:09:00 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.</div><div>22/2/2018 -- 20:09:00 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=103 frame_size=1600 frame_nr=2060</div><div>22/2/2018 -- 20:09:00 - <Info> - All AFP capture threads are running.</div></div><div><br></div><div><br></div><div><br></div><div>Here are similar log lines when only changing detect.sgh-mpm-context to auto on the same machine:</div><div><div>[vagrant@suricata4-vagrant ~]$ sudo suricata -vv -c /etc/suricata/suricata.yaml -i eth0 --init-errors-fatal </div><div>22/2/2018 -- 20:38:03 - <Notice> - This is Suricata version 4.0.4 RELEASE</div><div>22/2/2018 -- 20:38:03 - <Info> - CPUs/cores online: 1</div><div>...</div><div>22/2/2018 -- 20:38:19 - <Perf> - using shared mpm ctx' for file_data</div><div>22/2/2018 -- 20:38:19 - <Info> - 27425 signatures processed. 247 are IP-only rules, 12279 are inspecting packet payload, 18201 inspect application layer, 0 are decoder event only</div><div>22/2/2018 -- 20:38:19 - <Perf> - TCP toserver: 76 port groups, 71 unique SGH's, 5 copies</div><div>22/2/2018 -- 20:38:19 - <Perf> - TCP toclient: 76 port groups, 45 unique SGH's, 31 copies</div><div>22/2/2018 -- 20:38:19 - <Perf> - UDP toserver: 76 port groups, 43 unique SGH's, 33 copies</div><div>22/2/2018 -- 20:38:19 - <Perf> - UDP toclient: 17 port groups, 10 unique SGH's, 7 copies</div><div>22/2/2018 -- 20:38:19 - <Perf> - OTHER toserver: 254 proto groups, 4 unique SGH's, 250 copies</div><div>22/2/2018 -- 20:38:19 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies</div><div>22/2/2018 -- 20:38:30 - <Perf> - Unique rule groups: 173</div><div>...</div><div>22/2/2018 -- 20:38:43 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.</div><div>22/2/2018 -- 20:38:43 - <Perf> - AF_PACKET RX Ring params: block_size=32768 block_nr=103 frame_size=1600 frame_nr=2060</div><div>22/2/2018 -- 20:38:43 - <Info> - All AFP capture threads are running.</div></div><div><br></div><div><br></div><div>Thank you,</div><div>Eric</div><div class="gmail_extra">
<br><div class="gmail_quote">On Thu, Feb 22, 2018 at 10:10 AM, Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Tue, Feb 20, 2018 at 3:23 PM, Eric Urban <<a href="mailto:eurban@umn.edu">eurban@umn.edu</a>> wrote:<br>
> I believe the documentation for the sgh-mpm-context config option may be<br>
> incorrect or there is possibly an issue in the code surrounding the<br>
> processing of this option. I am not sure which it would be but I am<br>
> guessing more likely a documentation issue.<br>
><br>
> The documentation for sgh-mpm-context at<br>
> <a href="http://suricata.readthedocs.io/en/latest/performance/tuning-considerations.html#detect-sgh-mpm-context-auto-single-full" rel="noreferrer" target="_blank">http://suricata.readthedocs.<wbr>io/en/latest/performance/<wbr>tuning-considerations.html#<wbr>detect-sgh-mpm-context-auto-<wbr>single-full</a><br>
> reads that "Auto selects between single and full based on the mpm-algo<br>
> selected. ac and ac-bs use 'single'. All others 'full'." This to me means<br>
> that if the sgh-mpm-context value is set to auto while using Hyperscan for<br>
> the mpm-algo, that the sgh-mpm-context should be full since hs is not ac or<br>
> ac-bs.<br>
><br>
> In detect-engine.c in the sgh-mpm-context option parsing block that begins<br>
> at<br>
> <a href="https://github.com/OISF/suricata/blob/ffc847db01fbf81df8a647d7a794d99894e4939d/src/detect-engine.c#L1737" rel="noreferrer" target="_blank">https://github.com/OISF/<wbr>suricata/blob/<wbr>ffc847db01fbf81df8a647d7a794d9<wbr>9894e4939d/src/detect-engine.<wbr>c#L1737</a><br>
> the first if condition is satisfied when the sgh-mpm-context option is set<br>
> to auto. Nested inside of that if block is another if statement (line 1741)<br>
> that, when evaluating to true, sets the sgh_mpm_context value to<br>
> ENGINE_SGH_MPM_FACTORY_<wbr>CONTEXT_SINGLE (line 1746). Notice that one of the<br>
> OR conditions of this if statement on line 1743 has "de_ctx->mpm_matcher ==<br>
> MPM_HS ||", which does also have the requirement that BUILD_HYPERSCAN is<br>
> defined but that should be the case when Suricata is compiled with Hyperscan<br>
> support.<br>
><br>
> In case anyone is interested, the reason I started looking into this is that<br>
> I noticed my test instance of Suricata took much longer (roughly 6 minutes)<br>
> to fully start up when setting sgh-mpm-context to full over when it was set<br>
> to auto. I was using approximately 27K rules in this test case. When I<br>
> checked the documentation it appeared that since I was using Hyperscan in<br>
> both cases that auto should actually be using full.<br>
><br>
> Can anyone confirm that I am interpreting this accurately and if so whether<br>
> or not this is just a documentation issue?<br>
<br>
Hi Eric,<br>
Which Suricata version are you using?<br>
<br>
Thanks<br>
<span class="gmail-HOEnZb"><font color="#888888"><br>
--<br>
Regards,<br>
Peter Manev<br>
</font></span></blockquote></div><br></div></div>