[Oisf-users] New MPM available

Victor Julien victor at inliniac.net
Fri Feb 17 16:57:38 UTC 2012 

On 02/17/2012 05:38 PM, Victor Julien wrote:
> On 02/17/2012 04:29 PM, Anoop Saldanha wrote:
>> On Thu, Feb 16, 2012 at 2:50 AM, Chris Wakelin
>> <c.d.wakelin at reading.ac.uk> wrote:
>>> On 15/02/12 08:08, Anoop Saldanha wrote:
>>>> On Tue, Feb 14, 2012 at 3:17 PM, Victor Julien <victor at inliniac.net> wrote:
>>>>> On 02/14/2012 10:22 AM, Anoop Saldanha wrote:
>>>>>> Hello all,
>>>>>>
>>>>>> We have a new MPM available in our codebase - "ac-bs".  This provides
>>>>>> compression that's pretty close to ac-gfbs, while performing better
>>>>>> than ac-gfbs.
>>>>>>
>>>>>> To use this mpm, set
>>>>>>
>>>>>> "mpm-algo: ac-bs" in the conf file.
>>>>>>
>>>>>> Would appreciate performance numbers with both
>>>>>>
>>>>>> "sgh-mpm-context:full"
>>>>>> and
>>>>>> "sgh-mpm-context:single"
>>>>>>
>>>
>>> <snip>
>>>
>>>> Keen to see how ac-bs performs with "full" sgh-mpm-context, against other mpms.
>>>
>>> Here's a quick test against a 1.2GB 1.7m pcap with ~4k rules, 13 alerts,
>>> 10k URLs:
>>>
>>> ac/context=full/profile=medium/runmode=single: 30.8s ~4.5GB max mem
>>> ac-bs/<ditto> : 46.5s ~3GB max mem
>>> ac-gfbs/<ditto> : 53s ~3GB max mem
>>>
>>> Much the same with profile=high (slightly less time for ac-bs and
>>> ac-gfbs and more for ac). I guess we need a bigger ruleset to see a
>>> difference.
>>>
>>> ac/context=full/profile=medium/runmode=autofp (8 detect threads, CPU
>>> affinity set): 13s ~5GB max mem
>>> ac-bs/<ditto>: 16.1s ~3.2GB max mem
>>> ac-gfbs/<ditto>: 18.1s ~3.2GB max mem
>>>
>>> so slightly more memory and much faster!
>>>
>>> The upshot seems to be that it's somewhere between ac and ac-gfbs for
>>> performance whilst using the same memory as ac-gfbs.
>>>
>>> Best Wishes,
>>> Chris
>>>
>>> --
>>
>> Thanks for the nos.
>>
>> The new one in full mode probably looks like an alternative to
>> ac/single, if we have enough memory to run the engine with ac-bs/full,
>> but not ac/full
>>
> 
> I wonder what the performance & memory usage would be of (algo/ctx/profile):
> 
> ac/single/medium
> vs
> ac-bs/full/high
> 
> If I find some time I'll test it myself.
> 

Okay, bad idea :) I killed ac-bs/full/high with emerging-all.rules at
12GB memory usage. ac-bs/full/medium used 4780MB but ran slower than
ac/single/medium (830MB memory).

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list