Snort mailing list archives
RE: Maximum Number Of IPs Per Variable In snort.conf
From: "O'Sullivan, Mairtin" <mairtin.osullivan () imperial ac uk>
Date: Tue, 2 Aug 2005 08:30:22 +0100
Thanks. I was hoping that wansn't the case but pretty much figured it might be. As regards why... Campus network containing around 2 and a bit public /16 networks where anyone can host a server if they want. Unfortunately that's why.. -----Original Message----- From: Matt Kettler [mailto:mkettler () evi-inc com] Sent: 02 August 2005 02:59 To: O'Sullivan, Mairtin Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Maximum Number Of IPs Per Variable In snort.conf O'Sullivan, Mairtin wrote:
Apologies if this comes through two times. I sent it a few days ago
from
an account which wasn't a member of Snort-Users. I was wondering what's the maximum number of IPs you can have in a variable in snort.conf? In the post below it states that the performance hit would be too
great
to even attempt introducing a large number of IPs. Has that changed since 2002? http://archives.neohapsis.com/archives/snort/2002-12/0600.html
AFAIK, no, that hasn't changed. I also don't think you'll see support for it anytime soon either, as I can't think of an efficient way to implement it. (But there are many people out there smarter than me, so bear in mind this is just an opinion) I suppose you might be able to do some really crazy many-list structure, but it would be a lot of work and suck up memory. You'd wind up having a deeply nested series of lists pointing to other lists all cross-referencing down to the same content rule lists. You'd start with a list of source-ip specifiers Those entries would each point to a list of source-port specifiers Those entries would each point to a list of dest-ip specifiers Those entries would each point to a list of dest-port specifiers Those would point to a list of content rules. That would probably also hurt performance in the single-range case, so I don't think it would be quite so good for the general snort community.
At present I was to look at putting roughly 300 /32 addresses into a single variable. They addresses are not consecutive and so can't be supernetted. Any thoughts?
My only thought is why. ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Maximum Number Of IPs Per Variable In snort.conf O'Sullivan, Mairtin (Aug 01)
- Re: Maximum Number Of IPs Per Variable In snort.conf Matt Kettler (Aug 01)
- <Possible follow-ups>
- RE: Maximum Number Of IPs Per Variable In snort.conf O'Sullivan, Mairtin (Aug 02)