[Snort-users] Maximum Number Of IPs Per Variable In snort.conf
mairtin.osullivan at ...8411...
Tue Aug 2 00:35:02 EDT 2005
Thanks. I was hoping that wansn't the case but pretty much figured it
As regards why... Campus network containing around 2 and a bit public
/16 networks where anyone can host a server if they want. Unfortunately
From: Matt Kettler [mailto:mkettler at ...4108...]
Sent: 02 August 2005 02:59
To: O'Sullivan, Mairtin
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Maximum Number Of IPs Per Variable In
O'Sullivan, Mairtin wrote:
> Apologies if this comes through two times. I sent it a few days ago
> an account which wasn't a member of Snort-Users.
> I was wondering what's the maximum number of IPs you can have in a
> variable in snort.conf?
> In the post below it states that the performance hit would be too
> to even attempt introducing a large number of IPs. Has that changed
> since 2002?
AFAIK, no, that hasn't changed.
I also don't think you'll see support for it anytime soon either, as I
think of an efficient way to implement it. (But there are many people
smarter than me, so bear in mind this is just an opinion)
I suppose you might be able to do some really crazy many-list structure,
would be a lot of work and suck up memory.
You'd wind up having a deeply nested series of lists pointing to other
cross-referencing down to the same content rule lists.
You'd start with a list of source-ip specifiers
Those entries would each point to a list of source-port specifiers
Those entries would each point to a list of dest-ip specifiers
Those entries would each point to a list of dest-port specifiers
Those would point to a list of content rules.
That would probably also hurt performance in the single-range case, so I
think it would be quite so good for the general snort community.
> At present I was to look at putting roughly 300 /32 addresses into a
> single variable.
> They addresses are not consecutive and so can't be supernetted.
> Any thoughts?
My only thought is why.
More information about the Snort-users