[Oisf-users] silly performance question
Victor Julien
lists at inliniac.net
Wed Apr 17 11:01:59 UTC 2013
On 04/17/2013 09:25 AM, Christophe Vandeplas wrote:
>>> a) alert udp any any -> any 53 (content:"|03|foo|03|com|00|";)
>>> >>
>>> >> b) alert udp $DNS_SERVERS_DMZ any -> any 53 (content:"|03|foo|03|com|00|";)
>>> >>
>>> >> This considering that we are interested in searching for any query to
>>> >> that foo.com domain.
>>> >> There would probably be no other DNS traffic than the one from the
>>> >> systems defined in $DNS_SERVERS.
>>> >> I presume the difference in performance will be caused by the way the
>>> >> pattern-tree is build/checked.
>> >
>> > This affects rule grouping, yes. It will cause your 2nd rule to be
>> > checked less often which should improve perf. However, it does make the
>> > rule tree larger at the cost of memory.
> Will the any any udp/53 rule be checked more often even if there is no
> other port53 traffic than the one coming from $DNS_SERVERS ?
>
No. Actually, in this case the rule using $DNS_SERVERS would be slightly
more expensive as it does an extra check (the address will be checked).
But I think this is negligible.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list