doc: improve tuning/perf docs

9 years ago · 99d5bf4e68
parent c7c8de7d59
commit 99d5bf4e68
3 changed files with 25 additions and 84 deletions
--- a/doc/userguide/performance/high-performance-config.rst
+++ b/doc/userguide/performance/high-performance-config.rst
@ -1,72 +1,19 @@
 High Performance Configuration
 ==============================

-If you have enough RAM, consider the following options in
-suricata.yaml to off-load as much work from the CPU's as possible:
+If you have enough RAM, consider the following options in suricata.yaml to off-load as much work from the CPU's as possible:

 ::

-  detect-engine:
-    - profile: custom
-    - custom-values:
-        toclient-src-groups: 200
-        toclient-dst-groups: 200
-        toclient-sp-groups: 200
-        toclient-dp-groups: 300
-        toserver-src-groups: 200
-        toserver-dst-groups: 400
-        toserver-sp-groups: 200
-        toserver-dp-groups: 200
-    - sgh-mpm-context: auto
-    - inspection-recursion-limit: 3000
+  detect:
+    profile: custom
+    custom-values:
+        toclient-groups: 200
+        toserver-groups: 200
+    sgh-mpm-context: auto
+    inspection-recursion-limit: 3000

-Be advised, however, that this will require >= 32 GB of RAM for even
-modestly sized rule sets.  Also be aware that having additional CPU's
-available provides a greater performance boost than having more RAM
-available.  That is, it would be better to spend money on CPU's
-instead of RAM when configuring a system.
+Be advised, however, that this may require lots of RAM for even modestly sized rule sets.  Also be aware that having additional CPU's available provides a greater performance boost than having more RAM available.  That is, it would be better to spend money on CPU's instead of RAM when configuring a system.

-As a rough benchmark, in an HTTP-rich traffic stream, the full
-Emerging Threats rule set will require roughly one CPU per 50 Mb/sec
-of traffic when using "low" memory settings and using PF_RING to
-ensure there are no traffic drops.
+It may also lead to significantly longer rule loading times.

-Here are the build in values for LOW/MEDIUM/HIGH profiles:
-
-::
-
-
-  ENGINE_PROFILE_LOW:
-        toclient-src-groups: 2
-        toclient-dst-groups: 2
-        toclient-sp-groups: 2
-        toclient-dp-groups: 3
-        toserver-src-groups: 2
-        toserver-dst-groups: 4
-        toserver-sp-groups: 2
-        toserver-dp-groups: 25
-
-  ENGINE_PROFILE_HIGH:
-        toclient-src-groups: 15
-        toclient-dst-groups: 15
-        toclient-sp-groups: 15
-        toclient-dp-groups: 20
-        toserver-src-groups: 15
-        toserver-dst-groups: 15
-        toserver-sp-groups: 15
-        toserver-dp-groups: 40
-
-If not provided:
-
-::
-
-
-  default and MEDIUM profiles:
-        toclient-src-groups: 4
-        toclient-dst-groups: 4
-        toclient-sp-groups: 4
-        toclient-dp-groups: 6
-        toserver-src-groups: 4
-        toserver-dst-groups: 8
-        toserver-sp-groups: 4
-        toserver-dp-groups: 30
--- a/doc/userguide/performance/index.rst
+++ b/doc/userguide/performance/index.rst
@ -3,13 +3,13 @@ Performance

 .. toctree::

-   high-performance-config
+   runmodes
+   packet-capture
   tuning-considerations
+   hyperscan
+   high-performance-config
   statistics
+   ignoring-traffic
   packet-profiling
   rule-profiling
-   runmodes
   tcmalloc
-   ignoring-traffic
-   hyperscan
-   packet-capture
--- a/doc/userguide/performance/tuning-considerations.rst
+++ b/doc/userguide/performance/tuning-considerations.rst
@ -12,13 +12,12 @@ but setting it too high will lead to degradation.

 Suggested setting: 1000 or higher. Max is ~65000.

-mpm-algo: <ac|ac-gfbs|ac-bs|b2g|b3g|wumanber>
+mpm-algo: <ac|hs|ac-bs|ac-ks>
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-Controls the pattern matcher algorithm. AC is the default and best
-choice for most if not all cases.
+Controls the pattern matcher algorithm. AC is the default. On supported platforms, :doc:`performance/hyperscan` is the best option.

-detect-engine.profile: <low|medium|high|custom>
+detect.profile: <low|medium|high|custom>
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 The detection engine tries to split out separate signatures into
@ -32,24 +31,19 @@ The "custom" setting allows modification of the group sizes:

 ::

-    - custom-values:
-        toclient-src-groups: 2
-        toclient-dst-groups: 2
-        toclient-sp-groups: 2
-        toclient-dp-groups: 3
-        toserver-src-groups: 2
-        toserver-dst-groups: 4
-        toserver-sp-groups: 2
-        toserver-dp-groups: 25
+    custom-values:
+      toclient-groups: 50
+      toserver-groups: 50

 In general, increasing will improve performance, but will lead to
 higher memory usage.

-detect-engine.sgh-mpm-context: <auto|single|full>
+detect.sgh-mpm-context: <auto|single|full>
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 The multi pattern matcher can have it's context per signature group
 (full) or globally (single). Auto selects between single and full
-based on the **mpm-algo** selected. ac, ac-gfbs and ac-bs use
-"single". All others "full". Setting this to "full" with AC requires a
+based on the **mpm-algo** selected. ac and ac-bs use "single".
+All others "full". Setting this to "full" with AC requires a
 lot of memory: 32GB+ for a reasonable rule set.
+