[Oisf-users] New MPM available
Anoop Saldanha
anoopsaldanha at gmail.com
Fri Feb 17 15:29:07 UTC 2012
On Thu, Feb 16, 2012 at 2:50 AM, Chris Wakelin
<c.d.wakelin at reading.ac.uk> wrote:
> On 15/02/12 08:08, Anoop Saldanha wrote:
>> On Tue, Feb 14, 2012 at 3:17 PM, Victor Julien <victor at inliniac.net> wrote:
>>> On 02/14/2012 10:22 AM, Anoop Saldanha wrote:
>>>> Hello all,
>>>>
>>>> We have a new MPM available in our codebase - "ac-bs". This provides
>>>> compression that's pretty close to ac-gfbs, while performing better
>>>> than ac-gfbs.
>>>>
>>>> To use this mpm, set
>>>>
>>>> "mpm-algo: ac-bs" in the conf file.
>>>>
>>>> Would appreciate performance numbers with both
>>>>
>>>> "sgh-mpm-context:full"
>>>> and
>>>> "sgh-mpm-context:single"
>>>>
>
> <snip>
>
>> Keen to see how ac-bs performs with "full" sgh-mpm-context, against other mpms.
>
> Here's a quick test against a 1.2GB 1.7m pcap with ~4k rules, 13 alerts,
> 10k URLs:
>
> ac/context=full/profile=medium/runmode=single: 30.8s ~4.5GB max mem
> ac-bs/<ditto> : 46.5s ~3GB max mem
> ac-gfbs/<ditto> : 53s ~3GB max mem
>
> Much the same with profile=high (slightly less time for ac-bs and
> ac-gfbs and more for ac). I guess we need a bigger ruleset to see a
> difference.
>
> ac/context=full/profile=medium/runmode=autofp (8 detect threads, CPU
> affinity set): 13s ~5GB max mem
> ac-bs/<ditto>: 16.1s ~3.2GB max mem
> ac-gfbs/<ditto>: 18.1s ~3.2GB max mem
>
> so slightly more memory and much faster!
>
> The upshot seems to be that it's somewhere between ac and ac-gfbs for
> performance whilst using the same memory as ac-gfbs.
>
> Best Wishes,
> Chris
>
> --
Thanks for the nos.
The new one in full mode probably looks like an alternative to
ac/single, if we have enough memory to run the engine with ac-bs/full,
but not ac/full
--
Anoop Saldanha
More information about the Oisf-users
mailing list