Snort mailing list archives
Re: HTTP_SERVERS variable length
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 27 Dec 2002 14:50:06 -0500
I think you'll hit performance limits long before input limits.In general snort performance is SEVERELY degraded by having multiple entries in a coma delimited list for a IP specifier. You probably don't ever want to have more than 10.
However it is not degraded by using CIDR blocks, so if your HTTP servers happen to fit into the same block of IPs, or a couple of blocks, you should consider doing so.
ie: var HTTP_SERVERS [192.168.1.0/24] or maybe a couple of CIDR blocks: var HTTP_SERVERS [192.168.1.0/28,192.168.3.0/24,192.168.5.4/31]Do you really have 150 HTTP servers all at non-consecutive IP addresses?? I can't imagine that makes for a reasonable easy-to-maintain network. If nothing else your router config must be an insane rats nest, or a wide-open hole, if that's the case.
At 01:13 PM 12/27/2002 -0500, Steven Rudolph wrote:
How long can the var for HTTP_SERVERS be? Where would I find this in the code?I need a length of about 2000 characters as I have about 150 HTTP servers that are in my network.
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HTTP_SERVERS variable length Steven Rudolph (Dec 27)
- Re: HTTP_SERVERS variable length Andrew R. Baker (Dec 27)
- <Possible follow-ups>
- Re: HTTP_SERVERS variable length Matt Kettler (Dec 27)
- RE: HTTP_SERVERS variable length Steven Rudolph (Dec 27)