[Snort-devel] http_gunzip preprocessor

Frank Knobbe frank at ...2134...
Thu Jan 5 08:44:06 EST 2006

On Thu, 2006-01-05 at 11:34 -0500, Brian Caswell wrote:
> While a gige sensor is probably much faster, even if it was 6 times 
> faster, adding additional second per to handle those requests means 
> Snort is going to drop a TON of traffic.
> Decompression is NOT negligible.  Even only doing 500 bytes of it.

Relatively to decompressing the whole stream, yes.

If performance is required, like on Gig links, don't turn it on. I'm
sure you guys tune sensors based on their deployment environment, so
disabling any CPU intensive things on heavily loaded sensors should be
normal procedure anyway. Wouldn't you agree?


It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20060105/56c187e8/attachment.sig>

More information about the Snort-devel mailing list