[Snort-users] HTTP_SERVERS variable length

Steven Rudolph srudolph at ...4612...
Fri Dec 27 13:07:02 EST 2002

See responses inline:

>I think you'll hit performance limits long before input limits.

Yes I probably will, but I need to try.

>In general snort performance is SEVERELY degraded by having multiple 
>entries in a coma delimited list for a IP specifier. You probably don't

>ever want to have more than 10.

>However it is not degraded by using CIDR blocks, so if your HTTP
>happen to fit into the same block of IPs, or a couple of blocks, you
>consider doing so.


>or maybe a couple of CIDR blocks:

>var HTTP_SERVERS [,,]

>Do you really have 150 HTTP servers all at non-consecutive IP
addresses?? I 
>can't imagine that makes for a reasonable easy-to-maintain network. If 
>nothing else your router config must be an insane rats nest, or a
>hole, if that's the case.

<hair_pulling>We own a 19 bit block of addresses (small ISP).  And our
wonderful former Network Engineers did not see fit to use any real plan
for implementation of anything.  My job is a pain, and getting things to
change here is like rolling water uphill.
I must at least try this if possible.
I may try narrowing the CIDER blocks down some, as I have HOME_NET
defined for about 13 I may be able to narrow this down by 1 or 2

Thanks for the Suggestion.

At 01:13 PM 12/27/2002 -0500, Steven Rudolph wrote:
>How long can the var for HTTP_SERVERS be?
>Where would I find this in the code?
>I need a length of about 2000 characters as I have about 150 HTTP
>that are in my network.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2220 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021227/516cc44f/attachment.bin>

More information about the Snort-users mailing list