[Snort-users] HTTP_SERVERS variable length

Steven Rudolph srudolph at ...4612...
Fri Dec 27 13:07:02 EST 2002


See responses inline:

>I think you'll hit performance limits long before input limits.

Yes I probably will, but I need to try.

>In general snort performance is SEVERELY degraded by having multiple 
>entries in a coma delimited list for a IP specifier. You probably don't

>ever want to have more than 10.

>However it is not degraded by using CIDR blocks, so if your HTTP
servers 
>happen to fit into the same block of IPs, or a couple of blocks, you
should 
>consider doing so.

>ie:
>var HTTP_SERVERS [192.168.1.0/24]

>or maybe a couple of CIDR blocks:

>var HTTP_SERVERS [192.168.1.0/28,192.168.3.0/24,192.168.5.4/31]


>Do you really have 150 HTTP servers all at non-consecutive IP
addresses?? I 
>can't imagine that makes for a reasonable easy-to-maintain network. If 
>nothing else your router config must be an insane rats nest, or a
wide-open 
>hole, if that's the case.

<hair_pulling>We own a 19 bit block of addresses (small ISP).  And our
wonderful former Network Engineers did not see fit to use any real plan
for implementation of anything.  My job is a pain, and getting things to
change here is like rolling water uphill.
I must at least try this if possible.
I may try narrowing the CIDER blocks down some, as I have HOME_NET
defined for about 13 I may be able to narrow this down by 1 or 2
networks.</hair_pulling>

Thanks for the Suggestion.
Steve
 

At 01:13 PM 12/27/2002 -0500, Steven Rudolph wrote:
>How long can the var for HTTP_SERVERS be?
>Where would I find this in the code?
>I need a length of about 2000 characters as I have about 150 HTTP
servers 
>that are in my network.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2220 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021227/516cc44f/attachment.bin>


More information about the Snort-users mailing list