[Snort-devel] http_gunzip preprocessor
frank at ...2134...
Thu Jan 5 08:44:06 EST 2006
On Thu, 2006-01-05 at 11:34 -0500, Brian Caswell wrote:
> While a gige sensor is probably much faster, even if it was 6 times
> faster, adding additional second per to handle those requests means
> Snort is going to drop a TON of traffic.
> Decompression is NOT negligible. Even only doing 500 bytes of it.
Relatively to decompressing the whole stream, yes.
If performance is required, like on Gig links, don't turn it on. I'm
sure you guys tune sensors based on their deployment environment, so
disabling any CPU intensive things on heavily loaded sensors should be
normal procedure anyway. Wouldn't you agree?
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-devel