[Snort-users] VAR and IP lists

Subba Rao sailorn at ...261...
Sat Mar 30 14:46:04 EST 2002

----- Original Message -----
From: "Erek Adams" <erek at ...577...>
To: "Subba Rao" <sailorn at ...261...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Saturday, March 30, 2002 12:08 PM
Subject: Re: [Snort-users] VAR and IP lists

> On Sat, 30 Mar 2002, Subba Rao wrote:
> > I have declared a variable for a list of addresses that I wanted to
> > (The list is much longer than what I have listed here)
> >
> > var SVCS
> > var SVCS2
> Ignore in what way?

Some of the packets for the hosts in the VAR list (ex: would
get alerted.

> > Snort starts up fine without complaining. It does however miss some of
> > IP addresses in the rules.
> >
> > What is the correct syntax for declaring variables with list of IP
> > addresses? I used the example from Snort manual.
> At this time, it depends on the processor that you are sending it to.
> use whitespace delimted, some use the [x.x.x.x/Y,z.z.z.z/Y] format.

I am assuming you mean the preprocessor. The hosts in these VAR lists do not
have any preprocessor related activities.

> > What is the limit of IP addresses that can be assigned to a variable? I
> > to chop the IP addresses after 70 and create a new variable. (I was
> > to assign 300 IP addresses to a variable and Snort did not like that.) I
> > not look for the IP address threshold for the variable but randomly
> > 70 as the limit.
> I'm going to guess that you are trying to ignore portscans from these
> I would suggest using a BPF filter and a CIDR netmask instead of a long
> of vars.  IOW,,

As for portscans, I have included my routers in another large VAR list and
to work well. However, I would like to know how do you deal with the same
issue (portscans)
using BPF filters.

More information about the Snort-users mailing list