[Snort-devel] RE: [Snort-users] HTTP_SERVERS variable length

Russell Fulton r.fulton at ...1343...
Fri Jan 10 13:34:01 EST 2003


Hi Steven,
	I've cc'ed this back to the list since I have additional questions.
(Steven was having problems with long list of IP addresses in var
statements).

On Sat, 2003-01-11 at 08:00, Steven Rudolph wrote:
>> Have you tried splitting the list into several variables:

>> eg. 

>> var HTTP_SERVERS_A ...................................
>> var HTTP_SERVERS_B ...................................
>> var HTTP_SERVERS_C ...................................

>> var HTTP_SERVERS $HTTP_SERVERS_A $HTTP_SERVERS_B $HTTP_SERVERS_C

> This worked like a charm!

Great! how does snort perform with long lists of addresses in rules?
(I am wondering if having long lists is more expensive that just
checking everything).


We have over 200 webservers on campus that are exposed to the 'Net and I
have a list of them (from the firewall settings) so I could easily build
a list and ship it to the snort monitor.

Does anyone else have opinions on this?

> Have you tried splitting the list into several variables:

> eg. 

> var HTTP_SERVERS_A ...................................
> var HTTP_SERVERS_B ...................................
> var HTTP_SERVERS_C ...................................

> var HTTP_SERVERS $HTTP_SERVERS_A $HTTP_SERVERS_B $HTTP_SERVERS_C



-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin





More information about the Snort-devel mailing list