[Snort-users] VAR and IP lists

Subba Rao sailorn at ...261...
Sat Mar 30 14:46:04 EST 2002


----- Original Message -----
From: "Erek Adams" <erek at ...577...>
To: "Subba Rao" <sailorn at ...261...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Saturday, March 30, 2002 12:08 PM
Subject: Re: [Snort-users] VAR and IP lists


> On Sat, 30 Mar 2002, Subba Rao wrote:
>
> > I have declared a variable for a list of addresses that I wanted to
ignore.
> > (The list is much longer than what I have listed here)
> >
> > var SVCS 10.11.10.11 10.11.10.12 10.11.10.13
> > var SVCS2 10.11.10.30 10.11.10.40 10.11.10.50
>
> Ignore in what way?

Some of the packets for the hosts in the VAR list (ex: 10.11.10.12) would
still
get alerted.

>
> > Snort starts up fine without complaining. It does however miss some of
these
> > IP addresses in the rules.
> >
> > What is the correct syntax for declaring variables with list of IP
> > addresses? I used the example from Snort manual.
>
> At this time, it depends on the processor that you are sending it to.
Some
> use whitespace delimted, some use the [x.x.x.x/Y,z.z.z.z/Y] format.
>

I am assuming you mean the preprocessor. The hosts in these VAR lists do not
have any preprocessor related activities.

> > What is the limit of IP addresses that can be assigned to a variable? I
had
> > to chop the IP addresses after 70 and create a new variable. (I was
trying
> > to assign 300 IP addresses to a variable and Snort did not like that.) I
did
> > not look for the IP address threshold for the variable but randomly
picked
> > 70 as the limit.
>
> I'm going to guess that you are trying to ignore portscans from these
servers.
> I would suggest using a BPF filter and a CIDR netmask instead of a long
list
> of vars.  IOW, 10.11.10.0/24,
>

As for portscans, I have included my routers in another large VAR list and
seems
to work well. However, I would like to know how do you deal with the same
issue (portscans)
using BPF filters.






More information about the Snort-users mailing list