[Bro-Dev] UDP payload signatures
Siwek, Jonathan Luke
jsiwek at illinois.edu
Tue Jul 3 15:10:52 PDT 2012
> As a test, we could create
> something like a "worst-case trace" that only has traffic of the kind
> relevent here and measure if the signature matching makes a noticable
> difference.
I did some tests with 2,5702,400 total 1-byte (\x58) payload UDP packets over 25,100 connections comprised of 1,024 packets each and the worst performance impact I saw was a +0.2% difference when adding the new UDP signatures.
> That looks like a bug in the code. Also reminds me that we should
> really have unit tests for the signature engine ...
Just made a ticket for now: http://tracker.bro-ids.org/bro/ticket/844
Jon
More information about the bro-dev
mailing list