MPM context explanation

Hi there!

I am doing a thesis about Suriacat implementation. I´m having a hard time trying to figure it out what is, exactly, the mpm-context.

Can someone please explain me?

Hi Nuno!

This is a late reply, but I’m posting it in case because it might still be useful for you, and, if not, it could be the answer to someone else’s questions, in the future. (I ask you to forgive me beforehand if I’m going into concepts that may be too basic to you. One never knows in advance.)

So, MPM stands for multiple-pattern-matcher, and is part of the detection engine in Suricata. That means that it is used as part of the process of analyzing incoming packets against the registered rules Suricata is working with.

A rule/signature has one or more patterns. For a rule to be triggered, all patterns in that signature must match. The MPM will select a pattern from each signature, and use that collection to analyze packets. If a packet matches against the MPM, then further analysis is done. More about how MPM works can be found in our user documentation: 10.1. Suricata.yaml — Suricata 7.0.0-dev documentation

MPM-Context is also important for perfomance reasons. The MPM uses patterns from several rules (in a predefined signature group, from my understanding). Now, some rule groups need shared context, while others may need independent contexts.

From the suricata.yaml file:

# The detection engine builds internal groups of signatures. The engine
# allows us to specify the profile to use for them, to manage memory in an
# efficient way keeping good performance. For the profile keyword you
# can use the words "low", "medium", "high" or "custom". If you use custom,
# make sure to define the values in the "custom-values" section.
# Usually you would prefer medium/high/low.
# "sgh mpm-context", indicates how the staging should allot mpm contexts for
# the signature groups.  "single" indicates the use of a single context for
# all the signature group heads.  "full" indicates a mpm-context for each
# group head.  "auto" lets the engine decide the distribution of contexts
# based on the information the engine gathers on the patterns from each
# group head.

The MPM-context works together with the MPM-algorithm used (mpm-algo) as explained in Tuning considerations(9.3. Tuning Considerations — Suricata 7.0.0-dev documentation). If auto is chosen, the engine will select between having the context per signature group (full), or globally (single). When in doubt, this is likely the better alternative, for the average user.

I hope this can be of any help, and good luck with your thesis :slight_smile: