[Oisf-users] New MPM available

Anoop Saldanha anoopsaldanha at gmail.com
Mon Feb 20 05:27:21 UTC 2012 

as a reference, these are the table sizes on my box with "ac-bs" for
all the mpm contexts used by the engine, for a 18k ruleset

* in bytes

"ac-bs"
24348
38486
118900
47736
4716
4648804
558
15874
266202
6838
696
692
3982784
10756976

On Mon, Feb 20, 2012 at 4:19 AM, Tom DeCanio <decanio.tom at gmail.com> wrote:
> I just brought this up on the Tilera (tilegx).  Haven't benchmarked it yet,
> but the tables do look much smaller than those produced by ac.  Seems like
> this should improve performance here.  When I get my benchmarking setup back
> I'll gather some new numbers.
>
> Tom
>
> On Tue, Feb 14, 2012 at 1:22 AM, Anoop Saldanha <anoopsaldanha at gmail.com>
> wrote:
>>
>> Hello all,
>>
>> We have a new MPM available in our codebase - "ac-bs".  This provides
>> compression that's pretty close to ac-gfbs, while performing better
>> than ac-gfbs.
>>
>> To use this mpm, set
>>
>> "mpm-algo: ac-bs" in the conf file.
>>
>> Would appreciate performance numbers with both
>>
>> "sgh-mpm-context:full"
>> and
>> "sgh-mpm-context:single"
>>
>> To give an explanation on what "sgh-mpm-context" and the params "full"
>> and "single" mean, these refer to how we set up mpm contexts.
>> "single" indicates that we use a single context for all the patterns
>> in the engine.  "full" indicates that we split the patterns into many
>> mpm contexts, one mpm context per signature group head(sgh).
>>
>> To use "full" with a sufficiently decent ruleset(say > 10k rules with
>> a decent no of patterns) would require a lot of memory, running into a
>> couple of gigs for ac-gfbs or ac-bs or b2gc, or tens of gigs in case
>> of "ac".  "single" solves this with a single context and hence the
>> smaller memory footprint for the engine.
>>
>> If the machine has sufficient memory, "full" is suggested as it
>> provides much better performance than "single", albeit at the cost of
>> increased memory consumption.  More of a available_memory vs
>> performance scenario.
>>
>> Looking forward to some performance/memory feedback/benchmarks with
>> this mpm from the community.
>>
>> *mpm - multi pattern matcher
>> *sgh - signature group head
>>
>> --
>> Anoop Saldanha
>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>



-- 
Anoop Saldanha

More information about the Oisf-users mailing list