[Snort-devel] RE: [Snort-users] HTTP_SERVERS variable length
r.fulton at ...1343...
Mon Jan 13 17:27:08 EST 2003
On Mon, 2003-01-13 at 11:17, Chris Green wrote:
> If you have 200 servers and the firewall to prevent other machines
> from being accessed via HTTP, use your $HOME_NET to be the
> $HTTP_SERVERS variable. When you have 200 servers, it's too easy for
> one change to happen and not update your snort.conf and be blind to
> attacks on a newly installed server.
Good point, however if I did it I would be building the list direct from
the same database that constructs the firewall rule sets. If it has
port 80 access then it gets in the list.
> Internally, snort uses a list of ips to check and as you add more ips,
> you are actually slowing down snort a bit.
That's what I suspected and hence my question. Anyway Steven thinks it
works for him. I would only try it if I was having resource problems.
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
"It aint necessarily so" - Gershwin
More information about the Snort-devel