[Snort-users] VAR and IP lists

Erek Adams erek at ...577...
Sat Mar 30 09:09:12 EST 2002


On Sat, 30 Mar 2002, Subba Rao wrote:

> I have declared a variable for a list of addresses that I wanted to ignore.
> (The list is much longer than what I have listed here)
>
> var SVCS 10.11.10.11 10.11.10.12 10.11.10.13
> var SVCS2 10.11.10.30 10.11.10.40 10.11.10.50

Ignore in what way?

> Snort starts up fine without complaining. It does however miss some of these
> IP addresses in the rules.
>
> What is the correct syntax for declaring variables with list of IP
> addresses? I used the example from Snort manual.

At this time, it depends on the processor that you are sending it to.  Some
use whitespace delimted, some use the [x.x.x.x/Y,z.z.z.z/Y] format.

> What is the limit of IP addresses that can be assigned to a variable? I had
> to chop the IP addresses after 70 and create a new variable. (I was trying
> to assign 300 IP addresses to a variable and Snort did not like that.) I did
> not look for the IP address threshold for the variable but randomly picked
> 70 as the limit.

I'm going to guess that you are trying to ignore portscans from these servers.
I would suggest using a BPF filter and a CIDR netmask instead of a long list
of vars.  IOW, 10.11.10.0/24,

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list