[Snort-devel] RE: [Snort-users] HTTP_SERVERS variable length

Russell Fulton r.fulton at ...1343...
Mon Jan 13 17:27:08 EST 2003


On Mon, 2003-01-13 at 11:17, Chris Green wrote:
> 
> If you have 200 servers and the firewall to prevent other machines
> from being accessed via HTTP, use your $HOME_NET to be the
> $HTTP_SERVERS variable.  When you have 200 servers, it's too easy for
> one change to happen and not update your snort.conf and be blind to
> attacks on a newly installed server.

Good point, however if I did it I would be building the list direct from
the same database that constructs the firewall rule sets.  If it has
port 80 access then it gets in the list.

> 
> Internally, snort uses a list of ips to check and as you add more ips,
> you are actually slowing down snort a bit.

That's what I suspected and hence my question.  Anyway Steven thinks it
works for him.  I would only try it if I was having resource problems.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin





More information about the Snort-devel mailing list