[Snort-users] Maximum Number Of IPs Per Variable In snort.conf

O'Sullivan, Mairtin mairtin.osullivan at ...8411...
Tue Aug 2 00:35:02 EDT 2005


Thanks. I was hoping that wansn't the case but pretty much figured it
might be.

As regards why... Campus network containing around 2 and a bit public
/16 networks where anyone can host a server if they want. Unfortunately
that's why..


-----Original Message-----
From: Matt Kettler [mailto:mkettler at ...4108...] 
Sent: 02 August 2005 02:59
To: O'Sullivan, Mairtin
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Maximum Number Of IPs Per Variable In
snort.conf

O'Sullivan, Mairtin wrote:
> Apologies if this comes through two times. I sent it a few days ago
from
> an account which wasn't a member of Snort-Users.
> 
> I was wondering what's the maximum number of IPs you can have in a
> variable in snort.conf?
> 
> In the post below it states that the performance hit would be too
great
> to even attempt introducing a large number of IPs. Has that changed
> since 2002?
> http://archives.neohapsis.com/archives/snort/2002-12/0600.html

AFAIK, no, that hasn't changed.

I also don't think you'll see support for it anytime soon either, as I
can't
think of an efficient way to implement it. (But there are many people
out there
smarter than me, so bear in mind this is just an opinion)

I suppose you might be able to do some really crazy many-list structure,
but it
would be a lot of work and suck up memory.

You'd wind up having a deeply nested series of lists pointing to other
lists all
cross-referencing down to the same content rule lists.

You'd start with a list of source-ip specifiers
Those entries would each point to a list of source-port specifiers
Those entries would each point to a list of dest-ip specifiers
Those entries would each point to a list of dest-port specifiers
Those would point to a list of content rules.

That would probably also hurt performance in the single-range case, so I
don't
think it would be quite so good for the general snort community.


> At present I was to look at putting roughly 300 /32 addresses into a
> single variable.
> 
> They addresses are not consecutive and so can't be supernetted.
> 
> Any thoughts?

My only thought is why.






More information about the Snort-users mailing list