[Snort-users] HTTP_SERVERS variable length
srudolph at ...4612...
Fri Dec 27 13:07:02 EST 2002
See responses inline:
>I think you'll hit performance limits long before input limits.
Yes I probably will, but I need to try.
>In general snort performance is SEVERELY degraded by having multiple
>entries in a coma delimited list for a IP specifier. You probably don't
>ever want to have more than 10.
>However it is not degraded by using CIDR blocks, so if your HTTP
>happen to fit into the same block of IPs, or a couple of blocks, you
>consider doing so.
>var HTTP_SERVERS [192.168.1.0/24]
>or maybe a couple of CIDR blocks:
>var HTTP_SERVERS [192.168.1.0/28,192.168.3.0/24,192.168.5.4/31]
>Do you really have 150 HTTP servers all at non-consecutive IP
>can't imagine that makes for a reasonable easy-to-maintain network. If
>nothing else your router config must be an insane rats nest, or a
>hole, if that's the case.
<hair_pulling>We own a 19 bit block of addresses (small ISP). And our
wonderful former Network Engineers did not see fit to use any real plan
for implementation of anything. My job is a pain, and getting things to
change here is like rolling water uphill.
I must at least try this if possible.
I may try narrowing the CIDER blocks down some, as I have HOME_NET
defined for about 13 I may be able to narrow this down by 1 or 2
Thanks for the Suggestion.
At 01:13 PM 12/27/2002 -0500, Steven Rudolph wrote:
>How long can the var for HTTP_SERVERS be?
>Where would I find this in the code?
>I need a length of about 2000 characters as I have about 150 HTTP
>that are in my network.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2220 bytes
Desc: not available
More information about the Snort-users