[Oisf-devel] sgh-mpm-context when set to auto and using Hyperscan
Peter Manev
petermanev at gmail.com
Thu Feb 22 16:10:38 UTC 2018
On Tue, Feb 20, 2018 at 3:23 PM, Eric Urban <eurban at umn.edu> wrote:
> I believe the documentation for the sgh-mpm-context config option may be
> incorrect or there is possibly an issue in the code surrounding the
> processing of this option. I am not sure which it would be but I am
> guessing more likely a documentation issue.
>
> The documentation for sgh-mpm-context at
> http://suricata.readthedocs.io/en/latest/performance/tuning-considerations.html#detect-sgh-mpm-context-auto-single-full
> reads that "Auto selects between single and full based on the mpm-algo
> selected. ac and ac-bs use 'single'. All others 'full'." This to me means
> that if the sgh-mpm-context value is set to auto while using Hyperscan for
> the mpm-algo, that the sgh-mpm-context should be full since hs is not ac or
> ac-bs.
>
> In detect-engine.c in the sgh-mpm-context option parsing block that begins
> at
> https://github.com/OISF/suricata/blob/ffc847db01fbf81df8a647d7a794d99894e4939d/src/detect-engine.c#L1737
> the first if condition is satisfied when the sgh-mpm-context option is set
> to auto. Nested inside of that if block is another if statement (line 1741)
> that, when evaluating to true, sets the sgh_mpm_context value to
> ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE (line 1746). Notice that one of the
> OR conditions of this if statement on line 1743 has "de_ctx->mpm_matcher ==
> MPM_HS ||", which does also have the requirement that BUILD_HYPERSCAN is
> defined but that should be the case when Suricata is compiled with Hyperscan
> support.
>
> In case anyone is interested, the reason I started looking into this is that
> I noticed my test instance of Suricata took much longer (roughly 6 minutes)
> to fully start up when setting sgh-mpm-context to full over when it was set
> to auto. I was using approximately 27K rules in this test case. When I
> checked the documentation it appeared that since I was using Hyperscan in
> both cases that auto should actually be using full.
>
> Can anyone confirm that I am interpreting this accurately and if so whether
> or not this is just a documentation issue?
Hi Eric,
Which Suricata version are you using?
Thanks
--
Regards,
Peter Manev
More information about the Oisf-devel
mailing list