[Snort-devel] http_gunzip preprocessor
bmc at ...835...
Thu Jan 5 08:35:03 EST 2006
On Jan 4, 2006, at 6:02 PM, Frank Knobbe wrote:
> I think unrolling 500 bytes of gzipped stuff should certainly be doable
> without causing a performance hit. The more an IDS can inspect, the
> justification it has for its existence.
Those two statements conflict.
In NSS's latest GIG IDS test, they mention sessions per second in test
4.1.1. In order to pass their gige test, you must be able to handle
approximately 40,000 sessions per second. Using your 500 byte example,
I put together a quick benchmark. On my high end mac, it takes 6.2
seconds to decompress 500 bytes of random data compressed at the
maximum level 40,000 times.
While a gige sensor is probably much faster, even if it was 6 times
faster, adding additional second per to handle those requests means
Snort is going to drop a TON of traffic.
Decompression is NOT negligible. Even only doing 500 bytes of it.
More information about the Snort-devel