Skip to content

RFC: config: aggregate mpm/spm options under the detect node v1 #14902

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
lukashino wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

RFC: config: aggregate mpm/spm options under the detect node v1 #14902

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
75 changes: 37 additions & 38 deletions suricata.yaml.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1810,15 +1810,43 @@ detect:
custom-values:
toclient-groups: 3
toserver-groups: 25
sgh-mpm-context: auto
# Cache MPM contexts to the disk to avoid rule compilation at the startup.
# Cache files are created in the standard library directory.
sgh-mpm-caching: yes
sgh-mpm-caching-path: @e_sghcachedir@
# Maximum age for cached MPM databases before they are pruned.
# Accepts a combination of time units (s,m,h,d,w,y).
# Omit to use the default, 0 to disable.
# sgh-mpm-caching-max-age: 7d
mpm:
Copy link
Copy Markdown
Contributor

@catenacyber catenacyber Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why place this in mpm in detect when mpm is not only about detect (see ftp parsing for example)

# Select the multi pattern algorithm you want to run for scan/search
Copy link

Copilot AI Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Grammar issue: "you want to run for scan/search in the engine" is awkward. Should be "you want to run for scanning/searching in the engine" or "you want to use for pattern matching in the engine".

Suggested change
# Select the multi pattern algorithm you want to run for scan/search
# Select the multi pattern algorithm you want to use for pattern matching

Copilot uses AI. Check for mistakes.
# in the engine.
#
# The supported algorithms are:
# "ac" - Aho-Corasick, default implementation
# "ac-ks" - Aho-Corasick, "Ken Steele" variant
# "hs" - Hyperscan, available when built with Hyperscan support
#
# The default value of "auto" will use "hs" if Hyperscan is
# available, "ac" otherwise.
#
# The mpm you choose also decides the distribution of mpm contexts for
# signature groups, specified by the conf - "detect.mpm.sgh-context".
# Selecting "ac" as the mpm would require "detect.mpm.sgh-context"
# to be set to "single", because of ac's memory requirements, unless the
# ruleset is small enough to fit in memory, in which case one can
# use "full" with "ac". The rest of the mpms can be run in "full" mode.
algo: auto
sgh-context: auto
cache:
# Cache MPM contexts to the disk to avoid rule compilation at the startup.
# Cache files are created in the standard library directory.
enabled: yes
Copy link
Copy Markdown
Member

@jasonish jasonish Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not really specific to this PR, but is the cache enabled by default even if this is commented out?

Copy link
Copy Markdown
Contributor Author

@lukashino lukashino Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, starting in Suricata 8, if the caching folder is available/writeable.

Copy link
Copy Markdown
Member

@jasonish jasonish Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can comment it out then. This helps us make sure defaults are actually defaults, and not just a default because they are set that way in the configuration file.

path: @e_sghcachedir@
# Maximum age for cached MPM databases before they are pruned.
# Accepts a combination of time units (s,m,h,d,w,y).
# Omit to use the default, 0 to disable.
# max-age: 7d
spm:
# Select the matching algorithm you want to use for single-pattern searches.
#
# Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only
# available if Suricata has been built with Hyperscan support).
#
# The default of "auto" will use "hs" if available, otherwise "bm".
algo: auto
Comment on lines +1813 to +1849
Copy link

Copilot AI Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The configuration paths have been changed in the YAML file (e.g., mpm-algo moved to detect.mpm.algo), but the C code still reads from the old configuration paths. The code in src/detect-engine-mpm.c line 917 uses SCConfGet("mpm-algo", ...), which will not find the value at the new location detect.mpm.algo. Similar issues exist for:

  • spm-algo (used in src/util-spm.c line 72)
  • detect.sgh-mpm-context (used in src/detect-engine.c line 2793)
  • detect.sgh-mpm-caching (used in src/detect-engine.c line 2458)
  • detect.sgh-mpm-caching-path (used in src/detect-engine.c line 2470)
  • detect.sgh-mpm-caching-max-age (used in src/detect-engine.c line 2555)

This PR needs corresponding C code changes to read from the new configuration paths, or it needs backward compatibility support to handle both old and new paths during a transition period.

Copilot uses AI. Check for mistakes.
Comment on lines +1813 to +1849
Copy link

Copilot AI Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Documentation in multiple files (doc/userguide/configuration/suricata-yaml.rst, doc/userguide/performance/hyperscan.rst, doc/userguide/performance/tuning-considerations.rst, etc.) still references the old configuration paths like mpm-algo, spm-algo, detect.sgh-mpm-context, sgh-mpm-caching, etc. These documentation files need to be updated to reflect the new nested structure under detect.mpm and detect.spm.

Copilot uses AI. Check for mistakes.
# inspection-recursion-limit: 3000
# maximum number of times a tx will get logged for rules without app-layer keywords
# stream-tx-log-limit: 4
Expand Down Expand Up @@ -1861,35 +1889,6 @@ detect:
include-rules: false # very verbose
include-mpm-stats: false

# Select the multi pattern algorithm you want to run for scan/search the
# in the engine.
#
# The supported algorithms are:
# "ac" - Aho-Corasick, default implementation
# "ac-ks" - Aho-Corasick, "Ken Steele" variant
# "hs" - Hyperscan, available when built with Hyperscan support
#
# The default mpm-algo value of "auto" will use "hs" if Hyperscan is
# available, "ac" otherwise.
#
# The mpm you choose also decides the distribution of mpm contexts for
# signature groups, specified by the conf - "detect.sgh-mpm-context".
# Selecting "ac" as the mpm would require "detect.sgh-mpm-context"
# to be set to "single", because of ac's memory requirements, unless the
# ruleset is small enough to fit in memory, in which case one can
# use "full" with "ac". The rest of the mpms can be run in "full" mode.

mpm-algo: auto

# Select the matching algorithm you want to use for single-pattern searches.
#
# Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only
# available if Suricata has been built with Hyperscan support).
#
# The default of "auto" will use "hs" if available, otherwise "bm".

spm-algo: auto

# Suricata is multi-threaded. Here the threading can be influenced.
threading:
set-cpu-affinity: no
Expand Down
Loading