[Bro-Dev] UDP payload signatures

Siwek, Jonathan Luke jsiwek at illinois.edu
Tue Jul 3 15:10:52 PDT 2012

>  As a test, we could create
> something like a "worst-case trace" that only has traffic of the kind
> relevent here and measure if the signature matching makes a noticable
> difference.

I did some tests with 2,5702,400 total 1-byte (\x58) payload UDP packets over 25,100 connections comprised of 1,024 packets each and the worst performance impact I saw was a +0.2% difference when adding the new UDP signatures.

> That looks like a bug in the code. Also reminds me that we should
> really have unit tests for the signature engine ...

Just made a ticket for now:  http://tracker.bro-ids.org/bro/ticket/844


More information about the bro-dev mailing list