Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTP_SERVERS variable length

From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 27 Dec 2002 14:50:06 -0500
I think you'll hit performance limits long before input limits.
In general snort performance is SEVERELY degraded by having multiple entries in a coma delimited list for a IP specifier. You probably don't ever want to have more than 10.
However it is not degraded by using CIDR blocks, so if your HTTP servers happen to fit into the same block of IPs, or a couple of blocks, you should consider doing so. 

ie:
var HTTP_SERVERS [192.168.1.0/24]

or maybe a couple of CIDR blocks:

var HTTP_SERVERS [192.168.1.0/28,192.168.3.0/24,192.168.5.4/31]
Do you really have 150 HTTP servers all at non-consecutive IP addresses?? I can't imagine that makes for a reasonable easy-to-maintain network. If nothing else your router config must be an insane rats nest, or a wide-open hole, if that's the case. 


At 01:13 PM 12/27/2002 -0500, Steven Rudolph wrote:

How long can the var for HTTP_SERVERS be?
Where would I find this in the code?
I need a length of about 2000 characters as I have about 150 HTTP servers that are in my network. 



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: