[Oisf-users] New MPM available

Tom DeCanio decanio.tom at gmail.com
Sun Feb 19 22:49:14 UTC 2012

I just brought this up on the Tilera (tilegx).  Haven't benchmarked it yet,
but the tables do look much smaller than those produced by ac.  Seems like
this should improve performance here.  When I get my benchmarking setup
back I'll gather some new numbers.


On Tue, Feb 14, 2012 at 1:22 AM, Anoop Saldanha <anoopsaldanha at gmail.com>wrote:

> Hello all,
> We have a new MPM available in our codebase - "ac-bs".  This provides
> compression that's pretty close to ac-gfbs, while performing better
> than ac-gfbs.
> To use this mpm, set
> "mpm-algo: ac-bs" in the conf file.
> Would appreciate performance numbers with both
> "sgh-mpm-context:full"
> and
> "sgh-mpm-context:single"
> To give an explanation on what "sgh-mpm-context" and the params "full"
> and "single" mean, these refer to how we set up mpm contexts.
> "single" indicates that we use a single context for all the patterns
> in the engine.  "full" indicates that we split the patterns into many
> mpm contexts, one mpm context per signature group head(sgh).
> To use "full" with a sufficiently decent ruleset(say > 10k rules with
> a decent no of patterns) would require a lot of memory, running into a
> couple of gigs for ac-gfbs or ac-bs or b2gc, or tens of gigs in case
> of "ac".  "single" solves this with a single context and hence the
> smaller memory footprint for the engine.
> If the machine has sufficient memory, "full" is suggested as it
> provides much better performance than "single", albeit at the cost of
> increased memory consumption.  More of a available_memory vs
> performance scenario.
> Looking forward to some performance/memory feedback/benchmarks with
> this mpm from the community.
> *mpm - multi pattern matcher
> *sgh - signature group head
> --
> Anoop Saldanha
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120219/fa5a7ce4/attachment-0002.html>

More information about the Oisf-users mailing list