[Oisf-devel] sgh-mpm-context when set to auto and using Hyperscan

Eric Urban eurban at umn.edu
Thu Feb 22 21:04:34 UTC 2018 

Hello Peter,

I ran the test I mentioned on Suricata 3.1, 4.0.3, and 4.0.4.  The 3.1 and
4.0.4 tests were on a VM while the 4.0.3 test was on a physical machine (40
cores, 128GB memory).

The cases where the difference in startup times were the most significant I
also had detect.profile value set to high.

In my tests on the VMs, I was using the default config file (from running
'make install-full') and modified only:

   - the HOME_NET value
   - enabled the http.log
   - changed rule-files to point to a different file with the 27K rules
   - set mpm-algo and spm-algo to hs
   - detect.profile to high
   - detect.sgh-mpm-context to full


Also, please let me know if this discussion is better suited for
Oisf-users.  I felt the dev list was more appropriate since I was mostly
asking if the docs were incorrect based on the code.


Finally, for reference here are some log excerpts showing the startup times
when only making the changes I described above on a VM:
[vagrant at suricata4-vagrant ~]$ sudo suricata -vv -c
/etc/suricata/suricata.yaml -i eth0 --init-errors-fatal
22/2/2018 -- 20:01:07 - <Notice> - This is Suricata version 4.0.4 RELEASE
22/2/2018 -- 20:01:07 - <Info> - CPUs/cores online: 1
...
22/2/2018 -- 20:01:24 - <Perf> - using unique mpm ctx' for file_data
22/2/2018 -- 20:01:24 - <Info> - 27425 signatures processed. 247 are
IP-only rules, 12279 are inspecting packet payload, 18201 inspect
application layer, 0 are decoder event only
22/2/2018 -- 20:01:25 - <Perf> - TCP toserver: 76 port groups, 71 unique
SGH's, 5 copies
22/2/2018 -- 20:01:25 - <Perf> - TCP toclient: 76 port groups, 45 unique
SGH's, 31 copies
22/2/2018 -- 20:01:25 - <Perf> - UDP toserver: 76 port groups, 43 unique
SGH's, 33 copies
22/2/2018 -- 20:01:25 - <Perf> - UDP toclient: 17 port groups, 10 unique
SGH's, 7 copies
22/2/2018 -- 20:01:25 - <Perf> - OTHER toserver: 254 proto groups, 4 unique
SGH's, 250 copies
22/2/2018 -- 20:01:25 - <Perf> - OTHER toclient: 254 proto groups, 0 unique
SGH's, 254 copies
22/2/2018 -- 20:09:00 - <Perf> - Unique rule groups: 173
22/2/2018 -- 20:09:00 - <Perf> - Builtin MPM "toserver TCP packet": 56
...
22/2/2018 -- 20:09:00 - <Notice> - all 1 packet processing threads, 4
management threads initialized, engine started.
22/2/2018 -- 20:09:00 - <Perf> - AF_PACKET RX Ring params: block_size=32768
block_nr=103 frame_size=1600 frame_nr=2060
22/2/2018 -- 20:09:00 - <Info> - All AFP capture threads are running.



Here are similar log lines when only changing detect.sgh-mpm-context to
auto on the same machine:
[vagrant at suricata4-vagrant ~]$ sudo suricata -vv -c
/etc/suricata/suricata.yaml -i eth0 --init-errors-fatal
22/2/2018 -- 20:38:03 - <Notice> - This is Suricata version 4.0.4 RELEASE
22/2/2018 -- 20:38:03 - <Info> - CPUs/cores online: 1
...
22/2/2018 -- 20:38:19 - <Perf> - using shared mpm ctx' for file_data
22/2/2018 -- 20:38:19 - <Info> - 27425 signatures processed. 247 are
IP-only rules, 12279 are inspecting packet payload, 18201 inspect
application layer, 0 are decoder event only
22/2/2018 -- 20:38:19 - <Perf> - TCP toserver: 76 port groups, 71 unique
SGH's, 5 copies
22/2/2018 -- 20:38:19 - <Perf> - TCP toclient: 76 port groups, 45 unique
SGH's, 31 copies
22/2/2018 -- 20:38:19 - <Perf> - UDP toserver: 76 port groups, 43 unique
SGH's, 33 copies
22/2/2018 -- 20:38:19 - <Perf> - UDP toclient: 17 port groups, 10 unique
SGH's, 7 copies
22/2/2018 -- 20:38:19 - <Perf> - OTHER toserver: 254 proto groups, 4 unique
SGH's, 250 copies
22/2/2018 -- 20:38:19 - <Perf> - OTHER toclient: 254 proto groups, 0 unique
SGH's, 254 copies
22/2/2018 -- 20:38:30 - <Perf> - Unique rule groups: 173
...
22/2/2018 -- 20:38:43 - <Notice> - all 1 packet processing threads, 4
management threads initialized, engine started.
22/2/2018 -- 20:38:43 - <Perf> - AF_PACKET RX Ring params: block_size=32768
block_nr=103 frame_size=1600 frame_nr=2060
22/2/2018 -- 20:38:43 - <Info> - All AFP capture threads are running.


Thank you,
Eric

On Thu, Feb 22, 2018 at 10:10 AM, Peter Manev <petermanev at gmail.com> wrote:

> On Tue, Feb 20, 2018 at 3:23 PM, Eric Urban <eurban at umn.edu> wrote:
> > I believe the documentation for the sgh-mpm-context config option may be
> > incorrect or there is possibly an issue in the code surrounding the
> > processing of this option.  I am not sure which it would be but I am
> > guessing more likely a documentation issue.
> >
> > The documentation for sgh-mpm-context at
> > http://suricata.readthedocs.io/en/latest/performance/
> tuning-considerations.html#detect-sgh-mpm-context-auto-single-full
> > reads that "Auto selects between single and full based on the mpm-algo
> > selected. ac and ac-bs use 'single'. All others 'full'."  This to me
> means
> > that if the sgh-mpm-context value is set to auto while using Hyperscan
> for
> > the mpm-algo, that the sgh-mpm-context should be full since hs is not ac
> or
> > ac-bs.
> >
> > In detect-engine.c in the sgh-mpm-context option parsing block that
> begins
> > at
> > https://github.com/OISF/suricata/blob/ffc847db01fbf81df8a647d7a794d9
> 9894e4939d/src/detect-engine.c#L1737
> > the first if condition is satisfied when the sgh-mpm-context option is
> set
> > to auto.  Nested inside of that if block is another if statement (line
> 1741)
> > that, when evaluating to true, sets the sgh_mpm_context value to
> > ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE (line 1746).  Notice that one of
> the
> > OR conditions of this if statement on line 1743 has "de_ctx->mpm_matcher
> ==
> > MPM_HS ||", which does also have the requirement that BUILD_HYPERSCAN is
> > defined but that should be the case when Suricata is compiled with
> Hyperscan
> > support.
> >
> > In case anyone is interested, the reason I started looking into this is
> that
> > I noticed my test instance of Suricata took much longer (roughly 6
> minutes)
> > to fully start up when setting sgh-mpm-context to full over when it was
> set
> > to auto.  I was using approximately 27K rules in this test case.  When I
> > checked the documentation it appeared that since I was using Hyperscan in
> > both cases that auto should actually be using full.
> >
> > Can anyone confirm that I am interpreting this accurately and if so
> whether
> > or not this is just a documentation issue?
>
> Hi Eric,
> Which Suricata version are you using?
>
> Thanks
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20180222/1f5c7e20/attachment-0002.html>

More information about the Oisf-devel mailing list