[Oisf-users] New MPM available

[Anoop Saldanha]

On Tue, Feb 14, 2012 at 3:17 PM, Victor Julien <victor at inliniac.net> wrote:
> On 02/14/2012 10:22 AM, Anoop Saldanha wrote:
>> Hello all,
>>
>> We have a new MPM available in our codebase - "ac-bs".  This provides
>> compression that's pretty close to ac-gfbs, while performing better
>> than ac-gfbs.
>>
>> To use this mpm, set
>>
>> "mpm-algo: ac-bs" in the conf file.
>>
>> Would appreciate performance numbers with both
>>
>> "sgh-mpm-context:full"
>> and
>> "sgh-mpm-context:single"
>>
>> To give an explanation on what "sgh-mpm-context" and the params "full"
>> and "single" mean, these refer to how we set up mpm contexts.
>> "single" indicates that we use a single context for all the patterns
>> in the engine.  "full" indicates that we split the patterns into many
>> mpm contexts, one mpm context per signature group head(sgh).
>>
>> To use "full" with a sufficiently decent ruleset(say > 10k rules with
>> a decent no of patterns) would require a lot of memory, running into a
>> couple of gigs for ac-gfbs or ac-bs or b2gc, or tens of gigs in case
>> of "ac".  "single" solves this with a single context and hence the
>> smaller memory footprint for the engine.
>>
>> If the machine has sufficient memory, "full" is suggested as it
>> provides much better performance than "single", albeit at the cost of
>> increased memory consumption.  More of a available_memory vs
>> performance scenario.
>>
>> Looking forward to some performance/memory feedback/benchmarks with
>> this mpm from the community.
>
> So far from what I have seen, in a default et ruleset with the default
> suricata.yaml, "ac" is faster than "ac-bs".
>
> It would be interesting to set the "detect-engine.profile" to high with
> "ac-bs", as that settings increases the number of rule groups (sgh).
>

It will make a difference only if we use sgh-mpm-context:full.


Keen to see how ac-bs performs with "full" sgh-mpm-context, against other mpms.


-- 
Anoop Saldanha