Snort mailing list archives
RE: HTTP_SERVERS variable length
From: "Steven Rudolph" <srudolph () iocenter net>
Date: Fri, 27 Dec 2002 16:06:19 -0500
See responses inline:
I think you'll hit performance limits long before input limits.
Yes I probably will, but I need to try.
In general snort performance is SEVERELY degraded by having multiple entries in a coma delimited list for a IP specifier. You probably don't
ever want to have more than 10.
However it is not degraded by using CIDR blocks, so if your HTTP
servers
happen to fit into the same block of IPs, or a couple of blocks, you
should
consider doing so.
ie: var HTTP_SERVERS [192.168.1.0/24]
or maybe a couple of CIDR blocks:
var HTTP_SERVERS [192.168.1.0/28,192.168.3.0/24,192.168.5.4/31]
Do you really have 150 HTTP servers all at non-consecutive IP
addresses?? I
can't imagine that makes for a reasonable easy-to-maintain network. If nothing else your router config must be an insane rats nest, or a
wide-open
hole, if that's the case.
<hair_pulling>We own a 19 bit block of addresses (small ISP). And our wonderful former Network Engineers did not see fit to use any real plan for implementation of anything. My job is a pain, and getting things to change here is like rolling water uphill. I must at least try this if possible. I may try narrowing the CIDER blocks down some, as I have HOME_NET defined for about 13 I may be able to narrow this down by 1 or 2 networks.</hair_pulling> Thanks for the Suggestion. Steve At 01:13 PM 12/27/2002 -0500, Steven Rudolph wrote:
How long can the var for HTTP_SERVERS be? Where would I find this in the code? I need a length of about 2000 characters as I have about 150 HTTP
servers
that are in my network.
Attachment:
smime.p7s
Description:
Current thread:
- HTTP_SERVERS variable length Steven Rudolph (Dec 27)
- Re: HTTP_SERVERS variable length Andrew R. Baker (Dec 27)
- <Possible follow-ups>
- Re: HTTP_SERVERS variable length Matt Kettler (Dec 27)
- RE: HTTP_SERVERS variable length Steven Rudolph (Dec 27)