[Snort-users] HTTP_SERVERS variable length

Matt Kettler mkettler at ...4108...
Fri Dec 27 11:48:03 EST 2002


I think you'll hit performance limits long before input limits.

In general snort performance is SEVERELY degraded by having multiple 
entries in a coma delimited list for a IP specifier. You probably don't 
ever want to have more than 10.

However it is not degraded by using CIDR blocks, so if your HTTP servers 
happen to fit into the same block of IPs, or a couple of blocks, you should 
consider doing so.

ie:
var HTTP_SERVERS [192.168.1.0/24]

or maybe a couple of CIDR blocks:

var HTTP_SERVERS [192.168.1.0/28,192.168.3.0/24,192.168.5.4/31]


Do you really have 150 HTTP servers all at non-consecutive IP addresses?? I 
can't imagine that makes for a reasonable easy-to-maintain network. If 
nothing else your router config must be an insane rats nest, or a wide-open 
hole, if that's the case.


At 01:13 PM 12/27/2002 -0500, Steven Rudolph wrote:
>How long can the var for HTTP_SERVERS be?
>Where would I find this in the code?
>I need a length of about 2000 characters as I have about 150 HTTP servers 
>that are in my network.





More information about the Snort-users mailing list