Re: VAR and IP lists

[Chris Green <cmg () snort org>]

"Subba Rao" <sailorn () attglobal net> writes:

> Hi
>
> I have declared a variable for a list of addresses that I wanted to ignore.
> (The list is much longer than what I have listed here)
>
> var SVCS 10.11.10.11 10.11.10.12 10.11.10.13
> var SVCS2 10.11.10.30 10.11.10.40 10.11.10.50

var SVCS [10.11.10.11,10.11.10.12,10.11.10.13]
> Snort starts up fine without complaining. It does however miss some of these
> IP addresses
> in the rules.
>
> What is the correct syntax for declaring variables with list of IP
> addresses? I used the
> example from Snort manual.
>
> What is the limit of IP addresses that can be assigned to a variable? 

4294967296 ;-)

> I had to chop the IP addresses after 70 and create a new
> variable. 

you are assigning IP addresses the wrong way.  Are you trying to get
10.11.10.x?  That would be 10.11.10.0/24  to get all of them.  How you
represent the IP addresses will affect snort's performance

> (I was trying to assign 300 IP addresses to a variable and Snort did
> not like that.) I did not look for the IP address threshold for the
> variable but randomly picked 70 as the limit.
>
> Thank you in advance.
>
> Subba Rao
> sailorn () attglobal net
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Chris Green <cmg () snort org>
You now have 14 minutes to reach minimum safe distance.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users