[Oisf-users] New MPM available

[Chris Wakelin]

On 15/02/12 08:08, Anoop Saldanha wrote:
> On Tue, Feb 14, 2012 at 3:17 PM, Victor Julien <victor at inliniac.net> wrote:
>> On 02/14/2012 10:22 AM, Anoop Saldanha wrote:
>>> Hello all,
>>>
>>> We have a new MPM available in our codebase - "ac-bs".  This provides
>>> compression that's pretty close to ac-gfbs, while performing better
>>> than ac-gfbs.
>>>
>>> To use this mpm, set
>>>
>>> "mpm-algo: ac-bs" in the conf file.
>>>
>>> Would appreciate performance numbers with both
>>>
>>> "sgh-mpm-context:full"
>>> and
>>> "sgh-mpm-context:single"
>>>

<snip>

> Keen to see how ac-bs performs with "full" sgh-mpm-context, against other mpms.

Here's a quick test against a 1.2GB 1.7m pcap with ~4k rules, 13 alerts,
10k URLs:

ac/context=full/profile=medium/runmode=single: 30.8s ~4.5GB max mem
ac-bs/<ditto> : 46.5s ~3GB max mem
ac-gfbs/<ditto> : 53s ~3GB max mem

Much the same with profile=high (slightly less time for ac-bs and
ac-gfbs and more for ac). I guess we need a bigger ruleset to see a
difference.

ac/context=full/profile=medium/runmode=autofp (8 detect threads, CPU
affinity set): 13s ~5GB max mem
ac-bs/<ditto>: 16.1s ~3.2GB max mem
ac-gfbs/<ditto>: 18.1s ~3.2GB max mem

so slightly more memory and much faster!

The upshot seems to be that it's somewhere between ac and ac-gfbs for
performance whilst using the same memory as ac-gfbs.

Best Wishes,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094