Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How many IP addresses can a variable hold?

From: Erek Adams <erek () snort org>
Date: Fri, 24 Jan 2003 17:41:02 -0500 (EST)
On Fri, 24 Jan 2003, spy guy wrote:


In snort.conf, how many IP addresses can a variable hold?
Will there be a performance impact if I have too many? (as in over 100)


I'm not sure on the max w/o checking the code.  I'll look later tonight.

As for performance:  If you have any sort of traffic, it will be horrid.
You _really_ should use CIDR notation and try to aggregate those IP's into
useable subnets.  Consider this:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "Evil Access"; content:
"Outlook";)

If HOME_NET is set as 10.10.10.0/24 it makes one check:  Is this src ip
inside of the 10.10.10.0/24 range?

If it's set as '10.10.10.0, 10.10.10.1, 10.10.10.2, ... 10.10.10.255' then
it has to check: Is this src ip 10.10.10.0 or 10.10.10.1 or ... and so on.
Aggregate as much as you can, you'll save a lot of headaches, cpu cycles,
and a lot of typing.  :)

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: