[Snort-devel] RE: [Snort-users] HTTP_SERVERS variable length

Steven Rudolph srudolph at ...1213...
Mon Jan 13 07:20:10 EST 2003


The list limit was the intention of my original query to the list,
although I did not word it quite right.

What is the list limit?

You make a good point about potentially missing a server in snort.conf
as it may apply to the general public.
I this instance I control the firewall at a very granular level and
maintain a nice list of what is running  http.  The servers that are
being watched are spread across 5 subnets internally, so I thought a
tight list of IP's might perform slightly better.

Thanks everyone for your input.

Steve


-----Original Message-----
From: Chris Green [mailto:cmg at ...402...]
Sent: Sunday, January 12, 2003 5:17 PM
To: Steven Rudolph
Cc: Russell Fulton; snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] RE: [Snort-users] HTTP_SERVERS variable
length


"Steven Rudolph" <srudolph at ...1213...> writes:

> Performance: The list is about 200 servers long divided somewhat
> like described by Russell.  I am doing this by machine name with all
> virtual IP's attached to each machine.  Before I had this in place I
> was running about 50%@10MB.  The Top from below is for today running
> at 11.5MB (got this from NTOP running on same port span)


If you have 200 servers and the firewall to prevent other machines
from being accessed via HTTP, use your $HOME_NET to be the
$HTTP_SERVERS variable.  When you have 200 servers, it's too easy for
one change to happen and not update your snort.conf and be blind to
attacks on a newly installed server.

Internally, snort uses a list of ips to check and as you add more ips,
you are actually slowing down snort a bit.

There is a list limit and the dual variable trick won't really work
since it will there interpolate it into one buffer IIRC and you're
making http packets do a whole lot of work.
-- 
Chris Green <cmg at ...402...>
Laugh and the world laughs with you, snore and you sleep alone.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2220 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030113/4c1f511a/attachment.bin>


More information about the Snort-devel mailing list