[Oisf-users] Testers: please test our initial Hyperscan support
Viiret, Justin
justin.viiret at intel.com
Fri Apr 1 06:57:00 UTC 2016
Hi Cooper,
I'm not an expert on the dev-detect-grouping work, so I'll leave your first question for others to answer, but I am interested in your performance results:
> So far performance seems identical to the prior "dev-detect-grouping"
> branch, with the caveat that memory usage is currently lower (by 50%
> currently). I'll leave it running overnight and see if that changes.
Memory usage may be lower for a couple of reasons:
* For a given set of patterns, Hyperscan may be able to build a smaller matcher that constructed by other MPM algorithms;
* When it's asked to build a previously constructed pattern set again, the caching code in util-mpm-hs.c will reuse a previously constructed database.
On master, with sgh-mpm-context set to "full", we saw many such duplicate MPM contexts being constructed. This may or may not be the case on the dev-detect-grouping branch -- I haven't looked at it yet. The default of "auto" or "single" only builds a small number of contexts and no duplicates.
Actual performance will vary, of course, depending on both the traffic and the rule set. Do you have a feel for how much time you're spending in actual MPM pattern matching, perhaps by pointing a sampling profiler at Suricata?
Best regards,
jv
More information about the Oisf-users
mailing list