[Oisf-users] New MPM available
Anoop Saldanha
anoopsaldanha at gmail.com
Tue Feb 14 09:22:37 UTC 2012
Hello all,
We have a new MPM available in our codebase - "ac-bs". This provides
compression that's pretty close to ac-gfbs, while performing better
than ac-gfbs.
To use this mpm, set
"mpm-algo: ac-bs" in the conf file.
Would appreciate performance numbers with both
"sgh-mpm-context:full"
and
"sgh-mpm-context:single"
To give an explanation on what "sgh-mpm-context" and the params "full"
and "single" mean, these refer to how we set up mpm contexts.
"single" indicates that we use a single context for all the patterns
in the engine. "full" indicates that we split the patterns into many
mpm contexts, one mpm context per signature group head(sgh).
To use "full" with a sufficiently decent ruleset(say > 10k rules with
a decent no of patterns) would require a lot of memory, running into a
couple of gigs for ac-gfbs or ac-bs or b2gc, or tens of gigs in case
of "ac". "single" solves this with a single context and hence the
smaller memory footprint for the engine.
If the machine has sufficient memory, "full" is suggested as it
provides much better performance than "single", albeit at the cost of
increased memory consumption. More of a available_memory vs
performance scenario.
Looking forward to some performance/memory feedback/benchmarks with
this mpm from the community.
*mpm - multi pattern matcher
*sgh - signature group head
--
Anoop Saldanha
More information about the Oisf-users
mailing list