From: Jason Ish Date: Thu, 17 Dec 2015 17:07:21 +0000 (-0600) Subject: doc: tuning considerations X-Git-Tag: suricata-3.2beta1~244 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2574415a2d39aff73827d6f1f1d308c8f9f73dc3;p=thirdparty%2Fsuricata.git doc: tuning considerations --- diff --git a/doc/sphinx/performance/index.rst b/doc/sphinx/performance/index.rst index d59442f1c6..252652f9ed 100644 --- a/doc/sphinx/performance/index.rst +++ b/doc/sphinx/performance/index.rst @@ -4,3 +4,4 @@ Performance .. toctree:: high-performance-config + tuning-considerations diff --git a/doc/sphinx/performance/tuning-considerations.rst b/doc/sphinx/performance/tuning-considerations.rst new file mode 100644 index 0000000000..b94e92ff8b --- /dev/null +++ b/doc/sphinx/performance/tuning-considerations.rst @@ -0,0 +1,55 @@ +Tuning Considerations +===================== + +Settings to check for optimal performance. + +max-pending-packets: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This setting controls the number simultaneous packets that the engine +can handle. Setting this higher generally keeps the threads more busy, +but setting it too high will lead to degradation. + +Suggested setting: 1000 or higher. Max is ~65000. + +mpm-algo: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Controls the pattern matcher algorithm. AC is the default and best +choice for most if not all cases. + +detect-engine.profile: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The detection engine tries to split out separate signatures into +groups so that a packet is only inspected against signatures that can +actually match. As in large rule set this would result in way too many +groups and memory usage similar groups are merged together. The +profile setting controls how aggressive this merging is done. Higher +is better but results in (much) higher memory usage. + +The "custom" setting allows modification of the group sizes: + +:: + + - custom-values: + toclient-src-groups: 2 + toclient-dst-groups: 2 + toclient-sp-groups: 2 + toclient-dp-groups: 3 + toserver-src-groups: 2 + toserver-dst-groups: 4 + toserver-sp-groups: 2 + toserver-dp-groups: 25 + +In general, increasing will improve performance, but will lead to +higher memory usage. + +detect-engine.sgh-mpm-context: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The multi pattern matcher can have it's context per signature group +(full) or globally (single). Auto selects between single and full +based on the **mpm-algo** selected. ac, ac-gfbs and ac-bs use +"single". All others "full". Setting this to "full" with AC requires a +lot of memory: 32GB+ for a reasonable rule set.