[Snort-devel] RE: [Snort-users] HTTP_SERVERS variable length

Chris Green cmg at ...402...
Mon Jan 13 06:55:05 EST 2003


"Steven Rudolph" <srudolph at ...1213...> writes:

> Performance: The list is about 200 servers long divided somewhat
> like described by Russell.  I am doing this by machine name with all
> virtual IP's attached to each machine.  Before I had this in place I
> was running about 50%@10MB.  The Top from below is for today running
> at 11.5MB (got this from NTOP running on same port span)


If you have 200 servers and the firewall to prevent other machines
from being accessed via HTTP, use your $HOME_NET to be the
$HTTP_SERVERS variable.  When you have 200 servers, it's too easy for
one change to happen and not update your snort.conf and be blind to
attacks on a newly installed server.

Internally, snort uses a list of ips to check and as you add more ips,
you are actually slowing down snort a bit.

There is a list limit and the dual variable trick won't really work
since it will there interpolate it into one buffer IIRC and you're
making http packets do a whole lot of work.
-- 
Chris Green <cmg at ...402...>
Laugh and the world laughs with you, snore and you sleep alone.




More information about the Snort-devel mailing list