From 99d5bf4e68adf640b4dbd14aea64acfb1d374002 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Wed, 28 Sep 2016 21:01:58 +0200 Subject: [PATCH] doc: improve tuning/perf docs --- .../performance/high-performance-config.rst | 73 +++---------------- doc/userguide/performance/index.rst | 10 +-- .../performance/tuning-considerations.rst | 26 +++---- 3 files changed, 25 insertions(+), 84 deletions(-) diff --git a/doc/userguide/performance/high-performance-config.rst b/doc/userguide/performance/high-performance-config.rst index fa1a3cde17..19c5e8f621 100644 --- a/doc/userguide/performance/high-performance-config.rst +++ b/doc/userguide/performance/high-performance-config.rst @@ -1,72 +1,19 @@ High Performance Configuration ============================== -If you have enough RAM, consider the following options in -suricata.yaml to off-load as much work from the CPU's as possible: +If you have enough RAM, consider the following options in suricata.yaml to off-load as much work from the CPU's as possible: :: - detect-engine: - - profile: custom - - custom-values: - toclient-src-groups: 200 - toclient-dst-groups: 200 - toclient-sp-groups: 200 - toclient-dp-groups: 300 - toserver-src-groups: 200 - toserver-dst-groups: 400 - toserver-sp-groups: 200 - toserver-dp-groups: 200 - - sgh-mpm-context: auto - - inspection-recursion-limit: 3000 + detect: + profile: custom + custom-values: + toclient-groups: 200 + toserver-groups: 200 + sgh-mpm-context: auto + inspection-recursion-limit: 3000 -Be advised, however, that this will require >= 32 GB of RAM for even -modestly sized rule sets. Also be aware that having additional CPU's -available provides a greater performance boost than having more RAM -available. That is, it would be better to spend money on CPU's -instead of RAM when configuring a system. +Be advised, however, that this may require lots of RAM for even modestly sized rule sets. Also be aware that having additional CPU's available provides a greater performance boost than having more RAM available. That is, it would be better to spend money on CPU's instead of RAM when configuring a system. -As a rough benchmark, in an HTTP-rich traffic stream, the full -Emerging Threats rule set will require roughly one CPU per 50 Mb/sec -of traffic when using "low" memory settings and using PF_RING to -ensure there are no traffic drops. +It may also lead to significantly longer rule loading times. -Here are the build in values for LOW/MEDIUM/HIGH profiles: - -:: - - - ENGINE_PROFILE_LOW: - toclient-src-groups: 2 - toclient-dst-groups: 2 - toclient-sp-groups: 2 - toclient-dp-groups: 3 - toserver-src-groups: 2 - toserver-dst-groups: 4 - toserver-sp-groups: 2 - toserver-dp-groups: 25 - - ENGINE_PROFILE_HIGH: - toclient-src-groups: 15 - toclient-dst-groups: 15 - toclient-sp-groups: 15 - toclient-dp-groups: 20 - toserver-src-groups: 15 - toserver-dst-groups: 15 - toserver-sp-groups: 15 - toserver-dp-groups: 40 - -If not provided: - -:: - - - default and MEDIUM profiles: - toclient-src-groups: 4 - toclient-dst-groups: 4 - toclient-sp-groups: 4 - toclient-dp-groups: 6 - toserver-src-groups: 4 - toserver-dst-groups: 8 - toserver-sp-groups: 4 - toserver-dp-groups: 30 diff --git a/doc/userguide/performance/index.rst b/doc/userguide/performance/index.rst index 7e08a99bdb..d43fa65896 100644 --- a/doc/userguide/performance/index.rst +++ b/doc/userguide/performance/index.rst @@ -3,13 +3,13 @@ Performance .. toctree:: - high-performance-config + runmodes + packet-capture tuning-considerations + hyperscan + high-performance-config statistics + ignoring-traffic packet-profiling rule-profiling - runmodes tcmalloc - ignoring-traffic - hyperscan - packet-capture diff --git a/doc/userguide/performance/tuning-considerations.rst b/doc/userguide/performance/tuning-considerations.rst index b94e92ff8b..b2e74946c3 100644 --- a/doc/userguide/performance/tuning-considerations.rst +++ b/doc/userguide/performance/tuning-considerations.rst @@ -12,13 +12,12 @@ but setting it too high will lead to degradation. Suggested setting: 1000 or higher. Max is ~65000. -mpm-algo: +mpm-algo: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Controls the pattern matcher algorithm. AC is the default and best -choice for most if not all cases. +Controls the pattern matcher algorithm. AC is the default. On supported platforms, :doc:`performance/hyperscan` is the best option. -detect-engine.profile: +detect.profile: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The detection engine tries to split out separate signatures into @@ -32,24 +31,19 @@ The "custom" setting allows modification of the group sizes: :: - - custom-values: - toclient-src-groups: 2 - toclient-dst-groups: 2 - toclient-sp-groups: 2 - toclient-dp-groups: 3 - toserver-src-groups: 2 - toserver-dst-groups: 4 - toserver-sp-groups: 2 - toserver-dp-groups: 25 + custom-values: + toclient-groups: 50 + toserver-groups: 50 In general, increasing will improve performance, but will lead to higher memory usage. -detect-engine.sgh-mpm-context: +detect.sgh-mpm-context: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The multi pattern matcher can have it's context per signature group (full) or globally (single). Auto selects between single and full -based on the **mpm-algo** selected. ac, ac-gfbs and ac-bs use -"single". All others "full". Setting this to "full" with AC requires a +based on the **mpm-algo** selected. ac and ac-bs use "single". +All others "full". Setting this to "full" with AC requires a lot of memory: 32GB+ for a reasonable rule set. +