[Snort-devel] RE: [Snort-users] HTTP_SERVERS variable length
cmg at ...402...
Mon Jan 13 06:55:05 EST 2003
"Steven Rudolph" <srudolph at ...1213...> writes:
> Performance: The list is about 200 servers long divided somewhat
> like described by Russell. I am doing this by machine name with all
> virtual IP's attached to each machine. Before I had this in place I
> was running about 50%@10MB. The Top from below is for today running
> at 11.5MB (got this from NTOP running on same port span)
If you have 200 servers and the firewall to prevent other machines
from being accessed via HTTP, use your $HOME_NET to be the
$HTTP_SERVERS variable. When you have 200 servers, it's too easy for
one change to happen and not update your snort.conf and be blind to
attacks on a newly installed server.
Internally, snort uses a list of ips to check and as you add more ips,
you are actually slowing down snort a bit.
There is a list limit and the dual variable trick won't really work
since it will there interpolate it into one buffer IIRC and you're
making http packets do a whole lot of work.
Chris Green <cmg at ...402...>
Laugh and the world laughs with you, snore and you sleep alone.
More information about the Snort-devel