[Oisf-users] New MPM available

[Victor Julien]

On 02/14/2012 10:22 AM, Anoop Saldanha wrote:
> Hello all,
> 
> We have a new MPM available in our codebase - "ac-bs".  This provides
> compression that's pretty close to ac-gfbs, while performing better
> than ac-gfbs.
> 
> To use this mpm, set
> 
> "mpm-algo: ac-bs" in the conf file.
> 
> Would appreciate performance numbers with both
> 
> "sgh-mpm-context:full"
> and
> "sgh-mpm-context:single"
> 
> To give an explanation on what "sgh-mpm-context" and the params "full"
> and "single" mean, these refer to how we set up mpm contexts.
> "single" indicates that we use a single context for all the patterns
> in the engine.  "full" indicates that we split the patterns into many
> mpm contexts, one mpm context per signature group head(sgh).
> 
> To use "full" with a sufficiently decent ruleset(say > 10k rules with
> a decent no of patterns) would require a lot of memory, running into a
> couple of gigs for ac-gfbs or ac-bs or b2gc, or tens of gigs in case
> of "ac".  "single" solves this with a single context and hence the
> smaller memory footprint for the engine.
> 
> If the machine has sufficient memory, "full" is suggested as it
> provides much better performance than "single", albeit at the cost of
> increased memory consumption.  More of a available_memory vs
> performance scenario.
> 
> Looking forward to some performance/memory feedback/benchmarks with
> this mpm from the community.

So far from what I have seen, in a default et ruleset with the default
suricata.yaml, "ac" is faster than "ac-bs".

It would be interesting to set the "detect-engine.profile" to high with
"ac-bs", as that settings increases the number of rule groups (sgh).

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------