[Snort-users] How many IP addresses can a variable hold?
erek at ...950...
Fri Jan 24 14:51:04 EST 2003
On Fri, 24 Jan 2003, spy guy wrote:
> In snort.conf, how many IP addresses can a variable hold?
> Will there be a performance impact if I have too many? (as in over 100)
I'm not sure on the max w/o checking the code. I'll look later tonight.
As for performance: If you have any sort of traffic, it will be horrid.
You _really_ should use CIDR notation and try to aggregate those IP's into
useable subnets. Consider this:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "Evil Access"; content:
If HOME_NET is set as 10.10.10.0/24 it makes one check: Is this src ip
inside of the 10.10.10.0/24 range?
If it's set as '10.10.10.0, 10.10.10.1, 10.10.10.2, ... 10.10.10.255' then
it has to check: Is this src ip 10.10.10.0 or 10.10.10.1 or ... and so on.
Aggregate as much as you can, you'll save a lot of headaches, cpu cycles,
and a lot of typing. :)
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users