[Snort-users] VAR and IP lists
sailorn at ...261...
Sat Mar 30 14:46:04 EST 2002
----- Original Message -----
From: "Erek Adams" <erek at ...577...>
To: "Subba Rao" <sailorn at ...261...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Saturday, March 30, 2002 12:08 PM
Subject: Re: [Snort-users] VAR and IP lists
> On Sat, 30 Mar 2002, Subba Rao wrote:
> > I have declared a variable for a list of addresses that I wanted to
> > (The list is much longer than what I have listed here)
> > var SVCS 10.11.10.11 10.11.10.12 10.11.10.13
> > var SVCS2 10.11.10.30 10.11.10.40 10.11.10.50
> Ignore in what way?
Some of the packets for the hosts in the VAR list (ex: 10.11.10.12) would
> > Snort starts up fine without complaining. It does however miss some of
> > IP addresses in the rules.
> > What is the correct syntax for declaring variables with list of IP
> > addresses? I used the example from Snort manual.
> At this time, it depends on the processor that you are sending it to.
> use whitespace delimted, some use the [x.x.x.x/Y,z.z.z.z/Y] format.
I am assuming you mean the preprocessor. The hosts in these VAR lists do not
have any preprocessor related activities.
> > What is the limit of IP addresses that can be assigned to a variable? I
> > to chop the IP addresses after 70 and create a new variable. (I was
> > to assign 300 IP addresses to a variable and Snort did not like that.) I
> > not look for the IP address threshold for the variable but randomly
> > 70 as the limit.
> I'm going to guess that you are trying to ignore portscans from these
> I would suggest using a BPF filter and a CIDR netmask instead of a long
> of vars. IOW, 10.11.10.0/24,
As for portscans, I have included my routers in another large VAR list and
to work well. However, I would like to know how do you deal with the same
using BPF filters.
More information about the Snort-users