[Snort-devel] RE: [Snort-users] HTTP_SERVERS variable length

Steven Rudolph srudolph at ...1213...
Mon Jan 13 06:45:08 EST 2003


Performance:
The list is about 200 servers long divided somewhat like described by
Russell.
I am doing this by machine name with all virtual IP's attached to each
machine.
Before I had this in place I was running about 50%@10MB.
The Top from below is for today running at 11.5MB (got this from NTOP
running on same port span)

last pid: 10096;  load averages:  0.71,  0.55,  0.51
09:33:44
20 processes:  18 sleeping, 1 running, 1 on cpu
CPU states: 25.9% idle, 63.5% user, 10.6% kernel,  0.0% iowait,  0.0%
swap
Memory: 512M real, 430M free, 30M swap in use, 1377M swap free

   PID USERNAME THR PRI NICE  SIZE   RES STATE    TIME    CPU COMMAND
  3397 snort      1  50    0   20M   19M run     28.9H 63.42% snort

Seems to be working quite well.  I will send an updated later when our
network peaks out for the day.

Steve

-----Original Message-----
From: Russell Fulton [mailto:r.fulton at ...1343...]
Sent: Friday, January 10, 2003 4:33 PM
To: Steven Rudolph
Cc: snort-devel at lists.sourceforge.net
Subject: RE: [Snort-devel] RE: [Snort-users] HTTP_SERVERS variable
length


Hi Steven,
	I've cc'ed this back to the list since I have additional
questions.
(Steven was having problems with long list of IP addresses in var
statements).

On Sat, 2003-01-11 at 08:00, Steven Rudolph wrote:
>> Have you tried splitting the list into several variables:

>> eg. 

>> var HTTP_SERVERS_A ...................................
>> var HTTP_SERVERS_B ...................................
>> var HTTP_SERVERS_C ...................................

>> var HTTP_SERVERS $HTTP_SERVERS_A $HTTP_SERVERS_B $HTTP_SERVERS_C

> This worked like a charm!

Great! how does snort perform with long lists of addresses in rules?
(I am wondering if having long lists is more expensive that just
checking everything).


We have over 200 webservers on campus that are exposed to the 'Net and I
have a list of them (from the firewall settings) so I could easily build
a list and ship it to the snort monitor.

Does anyone else have opinions on this?

> Have you tried splitting the list into several variables:

> eg. 

> var HTTP_SERVERS_A ...................................
> var HTTP_SERVERS_B ...................................
> var HTTP_SERVERS_C ...................................

> var HTTP_SERVERS $HTTP_SERVERS_A $HTTP_SERVERS_B $HTTP_SERVERS_C



-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2220 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030113/576646fa/attachment.bin>


More information about the Snort-devel mailing list