[Snort-users] VAR and IP lists

Erek Adams erek at ...577...
Sat Mar 30 09:09:12 EST 2002

On Sat, 30 Mar 2002, Subba Rao wrote:

> I have declared a variable for a list of addresses that I wanted to ignore.
> (The list is much longer than what I have listed here)
> var SVCS
> var SVCS2

Ignore in what way?

> Snort starts up fine without complaining. It does however miss some of these
> IP addresses in the rules.
> What is the correct syntax for declaring variables with list of IP
> addresses? I used the example from Snort manual.

At this time, it depends on the processor that you are sending it to.  Some
use whitespace delimted, some use the [x.x.x.x/Y,z.z.z.z/Y] format.

> What is the limit of IP addresses that can be assigned to a variable? I had
> to chop the IP addresses after 70 and create a new variable. (I was trying
> to assign 300 IP addresses to a variable and Snort did not like that.) I did
> not look for the IP address threshold for the variable but randomly picked
> 70 as the limit.

I'm going to guess that you are trying to ignore portscans from these servers.
I would suggest using a BPF filter and a CIDR netmask instead of a long list
of vars.  IOW,,


Erek Adams

More information about the Snort-users mailing list