[Oisf-users] silly performance question
Christophe Vandeplas
christophe at vandeplas.com
Wed Apr 17 06:44:02 UTC 2013
Hello,
We were wondering about the performance difference between:
a) alert udp any any -> any 53 (content:"|03|foo|03|com|00|";)
b) alert udp $DNS_SERVERS_DMZ any -> any 53 (content:"|03|foo|03|com|00|";)
This considering that we are interested in searching for any query to
that foo.com domain.
There would probably be no other DNS traffic than the one from the
systems defined in $DNS_SERVERS.
I presume the difference in performance will be caused by the way the
pattern-tree is build/checked.
Please no "I think that", we've been discussing this internally and we
finally ended in a situation where everyone used arguments of the "i
think that" kind and no "this behavior explains ..."
Thanks
Christophe
More information about the Oisf-users
mailing list