Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Maximum Number Of IPs Per Variable In snort.conf

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 01 Aug 2005 21:58:44 -0400
O'Sullivan, Mairtin wrote:

Apologies if this comes through two times. I sent it a few days ago from
an account which wasn't a member of Snort-Users.

I was wondering what's the maximum number of IPs you can have in a
variable in snort.conf?

In the post below it states that the performance hit would be too great
to even attempt introducing a large number of IPs. Has that changed
since 2002?
http://archives.neohapsis.com/archives/snort/2002-12/0600.html


AFAIK, no, that hasn't changed.

I also don't think you'll see support for it anytime soon either, as I can't
think of an efficient way to implement it. (But there are many people out there
smarter than me, so bear in mind this is just an opinion)

I suppose you might be able to do some really crazy many-list structure, but it
would be a lot of work and suck up memory.

You'd wind up having a deeply nested series of lists pointing to other lists all
cross-referencing down to the same content rule lists.

You'd start with a list of source-ip specifiers
Those entries would each point to a list of source-port specifiers
Those entries would each point to a list of dest-ip specifiers
Those entries would each point to a list of dest-port specifiers
Those would point to a list of content rules.

That would probably also hurt performance in the single-range case, so I don't
think it would be quite so good for the general snort community.



At present I was to look at putting roughly 300 /32 addresses into a
single variable.

They addresses are not consecutive and so can't be supernetted.

Any thoughts?


My only thought is why.




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: