7.3. Tuning Considerations

Settings to check for optimal performance.

7.3.1. max-pending-packets: <number>

This setting controls the number simultaneous packets that the engine can handle. Setting this higher generally keeps the threads more busy, but setting it too high will lead to degradation.

Suggested setting: 1000 or higher. Max is ~65000.

7.3.2. mpm-algo: <ac|hs|ac-bs|ac-ks>

Controls the pattern matcher algorithm. AC is the default. On supported platforms, Hyperscan is the best option.

7.3.3. detect.profile: <low|medium|high|custom>

The detection engine tries to split out separate signatures into groups so that a packet is only inspected against signatures that can actually match. As in large rule set this would result in way too many groups and memory usage similar groups are merged together. The profile setting controls how aggressive this merging is done. Higher is better but results in (much) higher memory usage.

The “custom” setting allows modification of the group sizes:

  toclient-groups: 50
  toserver-groups: 50

In general, increasing will improve performance, but will lead to higher memory usage.

7.3.4. detect.sgh-mpm-context: <auto|single|full>

The multi pattern matcher can have it’s context per signature group (full) or globally (single). Auto selects between single and full based on the mpm-algo selected. ac and ac-bs use “single”. All others “full”. Setting this to “full” with AC requires a lot of memory: 32GB+ for a reasonable rule set.