Snort mailing list archives
RE: VAR and IP lists
From: "Estes, Matt: CPR / FCBS" <Matt.Estes () eis army mil>
Date: Tue, 2 Apr 2002 10:03:07 -0500
One more note to all those variable users... I found out the hard way that the code for spp_portscan does not like space delimited lists in variables, use the typical [1.2.3.4/32,2.3.4.5/32] notation instead or it will only accept the first one listed. This plugin parses variables AFTER it splits based on spaces, from what I understand. Also, the code looks to be ok with multiple "space-delimited" variables only. Matt
-----Original Message----- From: Chris Green [mailto:cmg () snort org] Sent: Saturday, March 30, 2002 8:27 AM To: Subba Rao Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] VAR and IP lists "Subba Rao" <sailorn () attglobal net> writes:Hi I have declared a variable for a list of addresses that Iwanted to ignore.(The list is much longer than what I have listed here) var SVCS 10.11.10.11 10.11.10.12 10.11.10.13 var SVCS2 10.11.10.30 10.11.10.40 10.11.10.50var SVCS [10.11.10.11,10.11.10.12,10.11.10.13]Snort starts up fine without complaining. It does howevermiss some of theseIP addresses in the rules. What is the correct syntax for declaring variables with list of IP addresses? I used the example from Snort manual. What is the limit of IP addresses that can be assigned to avariable? 4294967296 ;-)I had to chop the IP addresses after 70 and create a new variable.you are assigning IP addresses the wrong way. Are you trying to get 10.11.10.x? That would be 10.11.10.0/24 to get all of them. How you represent the IP addresses will affect snort's performance(I was trying to assign 300 IP addresses to a variable and Snort did not like that.) I did not look for the IP address threshold for the variable but randomly picked 70 as the limit. Thank you in advance. Subba Rao sailorn () attglobal net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Chris Green <cmg () snort org> You now have 14 minutes to reach minimum safe distance. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: VAR and IP lists Chris Green (Apr 02)
- <Possible follow-ups>
- RE: VAR and IP lists Estes, Matt: CPR / FCBS (Apr 02)