[Oisf-users] New MPM available

Victor Julien victor at inliniac.net
Fri Feb 17 16:38:31 UTC 2012 

On 02/17/2012 04:29 PM, Anoop Saldanha wrote:
> On Thu, Feb 16, 2012 at 2:50 AM, Chris Wakelin
> <c.d.wakelin at reading.ac.uk> wrote:
>> On 15/02/12 08:08, Anoop Saldanha wrote:
>>> On Tue, Feb 14, 2012 at 3:17 PM, Victor Julien <victor at inliniac.net> wrote:
>>>> On 02/14/2012 10:22 AM, Anoop Saldanha wrote:
>>>>> Hello all,
>>>>>
>>>>> We have a new MPM available in our codebase - "ac-bs".  This provides
>>>>> compression that's pretty close to ac-gfbs, while performing better
>>>>> than ac-gfbs.
>>>>>
>>>>> To use this mpm, set
>>>>>
>>>>> "mpm-algo: ac-bs" in the conf file.
>>>>>
>>>>> Would appreciate performance numbers with both
>>>>>
>>>>> "sgh-mpm-context:full"
>>>>> and
>>>>> "sgh-mpm-context:single"
>>>>>
>>
>> <snip>
>>
>>> Keen to see how ac-bs performs with "full" sgh-mpm-context, against other mpms.
>>
>> Here's a quick test against a 1.2GB 1.7m pcap with ~4k rules, 13 alerts,
>> 10k URLs:
>>
>> ac/context=full/profile=medium/runmode=single: 30.8s ~4.5GB max mem
>> ac-bs/<ditto> : 46.5s ~3GB max mem
>> ac-gfbs/<ditto> : 53s ~3GB max mem
>>
>> Much the same with profile=high (slightly less time for ac-bs and
>> ac-gfbs and more for ac). I guess we need a bigger ruleset to see a
>> difference.
>>
>> ac/context=full/profile=medium/runmode=autofp (8 detect threads, CPU
>> affinity set): 13s ~5GB max mem
>> ac-bs/<ditto>: 16.1s ~3.2GB max mem
>> ac-gfbs/<ditto>: 18.1s ~3.2GB max mem
>>
>> so slightly more memory and much faster!
>>
>> The upshot seems to be that it's somewhere between ac and ac-gfbs for
>> performance whilst using the same memory as ac-gfbs.
>>
>> Best Wishes,
>> Chris
>>
>> --
> 
> Thanks for the nos.
> 
> The new one in full mode probably looks like an alternative to
> ac/single, if we have enough memory to run the engine with ac-bs/full,
> but not ac/full
> 

I wonder what the performance & memory usage would be of (algo/ctx/profile):

ac/single/medium
vs
ac-bs/full/high

If I find some time I'll test it myself.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list