[Oisf-users] AC vs HS performance
Vishal Kotalwar
vishalkv at altencalsoftlabs.com
Wed Sep 7 07:47:43 UTC 2016
Hi,
We were analyzing suricata 3.0.1 IPS performance. We could achieve
3.1Gbps of throughput with single NFQUEUE in worker mode and few simple
rules (IP-PORT based rules).
We noticed that if we add more complex rules (rules with "content"
field); the throughput drops to 1.5Gbps, even with couple of "content"
rules. When we analyzed further, could find that SCACSearch() from
util-mpm-ac.c was using upto 40% of CPU in complete packet processing
and causing throughput drop. This I hope is on expected lines with AC MPM.
Many would have tested IPS with Hyperscan, do we see throughput
improvement with HS MPM? if any improvement numbers are possible to provide?
--
Thanks & Regards,
Vishal V. Kotalwar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160907/c402d387/attachment.html>
More information about the Oisf-users
mailing list