RE: HTTP_SERVERS variable length

["Steven Rudolph" <srudolph () iocenter net>]

See responses inline:

> I think you'll hit performance limits long before input limits.

Yes I probably will, but I need to try.

> In general snort performance is SEVERELY degraded by having multiple 
> entries in a coma delimited list for a IP specifier. You probably don't

> ever want to have more than 10.

> However it is not degraded by using CIDR blocks, so if your HTTP
servers 
> happen to fit into the same block of IPs, or a couple of blocks, you
should 
> consider doing so.

> ie:
> var HTTP_SERVERS [192.168.1.0/24]

> or maybe a couple of CIDR blocks:

> var HTTP_SERVERS [192.168.1.0/28,192.168.3.0/24,192.168.5.4/31]


> Do you really have 150 HTTP servers all at non-consecutive IP
addresses?? I 
> can't imagine that makes for a reasonable easy-to-maintain network. If 
> nothing else your router config must be an insane rats nest, or a
wide-open 
> hole, if that's the case.

<hair_pulling>We own a 19 bit block of addresses (small ISP).  And our
wonderful former Network Engineers did not see fit to use any real plan
for implementation of anything.  My job is a pain, and getting things to
change here is like rolling water uphill.
I must at least try this if possible.
I may try narrowing the CIDER blocks down some, as I have HOME_NET
defined for about 13 I may be able to narrow this down by 1 or 2
networks.</hair_pulling>

Thanks for the Suggestion.
Steve
 

At 01:13 PM 12/27/2002 -0500, Steven Rudolph wrote:
> How long can the var for HTTP_SERVERS be?
> Where would I find this in the code?
> I need a length of about 2000 characters as I have about 150 HTTP
servers 
> that are in my network.

Attachment: smime.p7s
Description: