doc: improve tuning/perf docs

OISF · Sep 28, 2016 · 99d5bf4 · 99d5bf4
1 parent c7c8de7
commit 99d5bf4
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 84 deletions.
diff --git a/doc/userguide/performance/high-performance-config.rst b/doc/userguide/performance/high-performance-config.rst
@@ -1,72 +1,19 @@
 High Performance Configuration
 ==============================
 
-If you have enough RAM, consider the following options in
-suricata.yaml to off-load as much work from the CPU's as possible:
+If you have enough RAM, consider the following options in suricata.yaml to off-load as much work from the CPU's as possible:
 
 ::
 
-  detect-engine:
-    - profile: custom
-    - custom-values:
-        toclient-src-groups: 200
-        toclient-dst-groups: 200
-        toclient-sp-groups: 200
-        toclient-dp-groups: 300
-        toserver-src-groups: 200
-        toserver-dst-groups: 400
-        toserver-sp-groups: 200
-        toserver-dp-groups: 200
-    - sgh-mpm-context: auto
-    - inspection-recursion-limit: 3000
+  detect:
+    profile: custom
+    custom-values:
+        toclient-groups: 200
+        toserver-groups: 200
+    sgh-mpm-context: auto
+    inspection-recursion-limit: 3000
 
-Be advised, however, that this will require >= 32 GB of RAM for even
-modestly sized rule sets.  Also be aware that having additional CPU's
-available provides a greater performance boost than having more RAM
-available.  That is, it would be better to spend money on CPU's
-instead of RAM when configuring a system.
+Be advised, however, that this may require lots of RAM for even modestly sized rule sets.  Also be aware that having additional CPU's available provides a greater performance boost than having more RAM available.  That is, it would be better to spend money on CPU's instead of RAM when configuring a system.
 
-As a rough benchmark, in an HTTP-rich traffic stream, the full
-Emerging Threats rule set will require roughly one CPU per 50 Mb/sec
-of traffic when using "low" memory settings and using PF_RING to
-ensure there are no traffic drops.
+It may also lead to significantly longer rule loading times.
 
-Here are the build in values for LOW/MEDIUM/HIGH profiles:
-
-::
-
-
-  ENGINE_PROFILE_LOW:
-        toclient-src-groups: 2
-        toclient-dst-groups: 2
-        toclient-sp-groups: 2
-        toclient-dp-groups: 3
-        toserver-src-groups: 2
-        toserver-dst-groups: 4
-        toserver-sp-groups: 2
-        toserver-dp-groups: 25
-
-  ENGINE_PROFILE_HIGH:
-        toclient-src-groups: 15
-        toclient-dst-groups: 15
-        toclient-sp-groups: 15
-        toclient-dp-groups: 20
-        toserver-src-groups: 15
-        toserver-dst-groups: 15
-        toserver-sp-groups: 15
-        toserver-dp-groups: 40
-
-If not provided:
-
-::
-
-
-  default and MEDIUM profiles:
-        toclient-src-groups: 4
-        toclient-dst-groups: 4
-        toclient-sp-groups: 4
-        toclient-dp-groups: 6
-        toserver-src-groups: 4
-        toserver-dst-groups: 8
-        toserver-sp-groups: 4
-        toserver-dp-groups: 30
diff --git a/doc/userguide/performance/index.rst b/doc/userguide/performance/index.rst
@@ -3,13 +3,13 @@ Performance
 
 .. toctree::
 
-   high-performance-config
+   runmodes
+   packet-capture
    tuning-considerations
+   hyperscan
+   high-performance-config
    statistics
+   ignoring-traffic
    packet-profiling
    rule-profiling
-   runmodes
    tcmalloc
-   ignoring-traffic
-   hyperscan
-   packet-capture
diff --git a/doc/userguide/performance/tuning-considerations.rst b/doc/userguide/performance/tuning-considerations.rst
@@ -12,13 +12,12 @@ but setting it too high will lead to degradation.
 
 Suggested setting: 1000 or higher. Max is ~65000.
 
-mpm-algo: <ac|ac-gfbs|ac-bs|b2g|b3g|wumanber>
+mpm-algo: <ac|hs|ac-bs|ac-ks>
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Controls the pattern matcher algorithm. AC is the default and best
-choice for most if not all cases.
+Controls the pattern matcher algorithm. AC is the default. On supported platforms, :doc:`performance/hyperscan` is the best option.
 
-detect-engine.profile: <low|medium|high|custom>
+detect.profile: <low|medium|high|custom>
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 The detection engine tries to split out separate signatures into
@@ -32,24 +31,19 @@ The "custom" setting allows modification of the group sizes:
 
 ::
 
-    - custom-values:
-        toclient-src-groups: 2
-        toclient-dst-groups: 2
-        toclient-sp-groups: 2
-        toclient-dp-groups: 3
-        toserver-src-groups: 2
-        toserver-dst-groups: 4
-        toserver-sp-groups: 2
-        toserver-dp-groups: 25
+    custom-values:
+      toclient-groups: 50
+      toserver-groups: 50
 
 In general, increasing will improve performance, but will lead to
 higher memory usage.
 
-detect-engine.sgh-mpm-context: <auto|single|full>
+detect.sgh-mpm-context: <auto|single|full>
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 The multi pattern matcher can have it's context per signature group
 (full) or globally (single). Auto selects between single and full
-based on the **mpm-algo** selected. ac, ac-gfbs and ac-bs use
-"single". All others "full". Setting this to "full" with AC requires a
+based on the **mpm-algo** selected. ac and ac-bs use "single".
+All others "full". Setting this to "full" with AC requires a
 lot of memory: 32GB+ for a reasonable rule set.
+