[Oisf-devel] sgh-mpm-context when set to auto and using Hyperscan

Eric Urban eurban at umn.edu
Tue Feb 20 20:23:10 UTC 2018


I believe the documentation for the sgh-mpm-context config option may be
incorrect or there is possibly an issue in the code surrounding the
processing of this option.  I am not sure which it would be but I am
guessing more likely a documentation issue.

The documentation for sgh-mpm-context at
http://suricata.readthedocs.io/en/latest/performance/tuning-considerations.html#detect-sgh-mpm-context-auto-single-full
reads that "Auto selects between single and full based on the mpm-algo
selected. ac and ac-bs use 'single'. All others 'full'."  This to me means
that if the sgh-mpm-context value is set to auto while using Hyperscan for
the mpm-algo, that the sgh-mpm-context should be full since hs is not ac or
ac-bs.

In detect-engine.c in the sgh-mpm-context option parsing block that begins
at
https://github.com/OISF/suricata/blob/ffc847db01fbf81df8a647d7a794d99894e4939d/src/detect-engine.c#L1737
the first if condition is satisfied when the sgh-mpm-context option is set
to auto.  Nested inside of that if block is another if statement (line
1741) that, when evaluating to true, sets the sgh_mpm_context value to
ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE (line 1746).  Notice that one of the
OR conditions of this if statement on line 1743 has "de_ctx->mpm_matcher ==
MPM_HS ||", which does also have the requirement that BUILD_HYPERSCAN is
defined but that should be the case when Suricata is compiled with
Hyperscan support.

In case anyone is interested, the reason I started looking into this is
that I noticed my test instance of Suricata took much longer (roughly 6
minutes) to fully start up when setting sgh-mpm-context to full over when
it was set to auto.  I was using approximately 27K rules in this test
case.  When I checked the documentation it appeared that since I was using
Hyperscan in both cases that auto should actually be using full.

Can anyone confirm that I am interpreting this accurately and if so whether
or not this is just a documentation issue?

Eric Urban
University Information Security | Office of Information Technology |
it.umn.edu
University of Minnesota | umn.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20180220/4d1554f7/attachment.html>


More information about the Oisf-devel mailing list