[Oisf-users] AC vs HS performance
Vishal Kotalwar
vishalkv at altencalsoftlabs.com
Wed Sep 7 09:08:20 UTC 2016
Thanks Victor for the advice. But if you can provide me the numbers you
observed on your setup then i can co-relate and expect the same with my
setup.
On 07-Sep-16 1:32 PM, Victor Julien wrote:
> On 07-09-16 09:47, Vishal Kotalwar wrote:
>> We were analyzing suricata 3.0.1 IPS performance. We could achieve
>> 3.1Gbps of throughput with single NFQUEUE in worker mode and few simple
>> rules (IP-PORT based rules).
>>
>> We noticed that if we add more complex rules (rules with "content"
>> field); the throughput drops to 1.5Gbps, even with couple of "content"
>> rules. When we analyzed further, could find that SCACSearch() from
>> util-mpm-ac.c was using upto 40% of CPU in complete packet processing
>> and causing throughput drop. This I hope is on expected lines with AC MPM.
>>
>> Many would have tested IPS with Hyperscan, do we see throughput
>> improvement with HS MPM? if any improvement numbers are possible to provide?
> The only way to be sure in your setup is to give it a try. Overall we
> see good improvements with hyperscan, but YMMV.
>
> Btw, please post only to one list at a time.
>
--
Thanks & Regards,
Vishal V. Kotalwar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160907/8453216b/attachment-0002.html>
More information about the Oisf-users
mailing list