[Snort-devel] http_gunzip preprocessor

Brian Caswell bmc at ...835...
Thu Jan 5 08:35:03 EST 2006


On Jan 4, 2006, at 6:02 PM, Frank Knobbe wrote:
> I think unrolling 500 bytes of gzipped stuff should certainly be doable
> without causing a performance hit. The more an IDS can inspect, the 
> more
> justification it has for its existence.

Those two statements conflict.

In NSS's latest GIG IDS test, they mention sessions per second in test 
4.1.1.  In order to pass their gige test, you must be able to handle 
approximately 40,000 sessions per second.  Using your 500 byte example, 
I put together a quick benchmark.  On my high end mac, it takes 6.2 
seconds to decompress 500 bytes of random data compressed at the 
maximum level 40,000 times.

While a gige sensor is probably much faster, even if it was 6 times 
faster, adding additional second per to handle those requests means 
Snort is going to drop a TON of traffic.

Decompression is NOT negligible.  Even only doing 500 bytes of it.

Brian





More information about the Snort-devel mailing list