[Snort-devel] RE: [Snort-users] HTTP_SERVERS variable length
srudolph at ...1213...
Mon Jan 13 07:20:10 EST 2003
The list limit was the intention of my original query to the list,
although I did not word it quite right.
What is the list limit?
You make a good point about potentially missing a server in snort.conf
as it may apply to the general public.
I this instance I control the firewall at a very granular level and
maintain a nice list of what is running http. The servers that are
being watched are spread across 5 subnets internally, so I thought a
tight list of IP's might perform slightly better.
Thanks everyone for your input.
From: Chris Green [mailto:cmg at ...402...]
Sent: Sunday, January 12, 2003 5:17 PM
To: Steven Rudolph
Cc: Russell Fulton; snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] RE: [Snort-users] HTTP_SERVERS variable
"Steven Rudolph" <srudolph at ...1213...> writes:
> Performance: The list is about 200 servers long divided somewhat
> like described by Russell. I am doing this by machine name with all
> virtual IP's attached to each machine. Before I had this in place I
> was running about 50%@10MB. The Top from below is for today running
> at 11.5MB (got this from NTOP running on same port span)
If you have 200 servers and the firewall to prevent other machines
from being accessed via HTTP, use your $HOME_NET to be the
$HTTP_SERVERS variable. When you have 200 servers, it's too easy for
one change to happen and not update your snort.conf and be blind to
attacks on a newly installed server.
Internally, snort uses a list of ips to check and as you add more ips,
you are actually slowing down snort a bit.
There is a list limit and the dual variable trick won't really work
since it will there interpolate it into one buffer IIRC and you're
making http packets do a whole lot of work.
Chris Green <cmg at ...402...>
Laugh and the world laughs with you, snore and you sleep alone.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2220 bytes
Desc: not available
More information about the Snort-devel