[Snort-users] VAR and IP lists
erek at ...577...
Sat Mar 30 09:09:12 EST 2002
On Sat, 30 Mar 2002, Subba Rao wrote:
> I have declared a variable for a list of addresses that I wanted to ignore.
> (The list is much longer than what I have listed here)
> var SVCS 10.11.10.11 10.11.10.12 10.11.10.13
> var SVCS2 10.11.10.30 10.11.10.40 10.11.10.50
Ignore in what way?
> Snort starts up fine without complaining. It does however miss some of these
> IP addresses in the rules.
> What is the correct syntax for declaring variables with list of IP
> addresses? I used the example from Snort manual.
At this time, it depends on the processor that you are sending it to. Some
use whitespace delimted, some use the [x.x.x.x/Y,z.z.z.z/Y] format.
> What is the limit of IP addresses that can be assigned to a variable? I had
> to chop the IP addresses after 70 and create a new variable. (I was trying
> to assign 300 IP addresses to a variable and Snort did not like that.) I did
> not look for the IP address threshold for the variable but randomly picked
> 70 as the limit.
I'm going to guess that you are trying to ignore portscans from these servers.
I would suggest using a BPF filter and a CIDR netmask instead of a long list
of vars. IOW, 10.11.10.0/24,
More information about the Snort-users