[Oisf-users] AC vs HS performance
Victor Julien
lists at inliniac.net
Wed Sep 7 08:02:17 UTC 2016
On 07-09-16 09:47, Vishal Kotalwar wrote:
> We were analyzing suricata 3.0.1 IPS performance. We could achieve
> 3.1Gbps of throughput with single NFQUEUE in worker mode and few simple
> rules (IP-PORT based rules).
>
> We noticed that if we add more complex rules (rules with "content"
> field); the throughput drops to 1.5Gbps, even with couple of "content"
> rules. When we analyzed further, could find that SCACSearch() from
> util-mpm-ac.c was using upto 40% of CPU in complete packet processing
> and causing throughput drop. This I hope is on expected lines with AC MPM.
>
> Many would have tested IPS with Hyperscan, do we see throughput
> improvement with HS MPM? if any improvement numbers are possible to provide?
The only way to be sure in your setup is to give it a try. Overall we
see good improvements with hyperscan, but YMMV.
Btw, please post only to one list at a time.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list