Re: HOME_NET Limit?

[Erek Adams <erek () snort org>]

On Mon, 17 Mar 2003 eelsten () mmm com wrote:

> Can anyone tell me if there is a limit on the number of networks you can
> put in HOME_NET?  I'm getting the following error, but I don't see a
> problem syntactically.  I have 316 of them in there.  Snort 1.9.0 is
> running under RH 7.3.  Thanks!
>
> Initializing rule chains...
> ERROR line /etc/snort/snort.conf (29) => Unknown rule type: ,172.17.0.0/16

*  Upgrade to 1.9.1 or comment out the rpc_decode preprocessor.

Yep.  1024 bytes is the standard buffer size.  It's defined in snort.h:

        #define STD_BUF  1024

One suggestion:  Get rid of all of those networks!  You'll see massive
speed increase!

Consider this:

        var $HOME_NET 10.10.10.0/23

2 class C's, building 'one check' to see if something is in HOME_NET vs...

        var $HOME_NET [10.10.10.0/24,10.10.11.0/24]

2 class C's, building 'two checks' to see if something is in HOME_NET.

Now, you've got 316?  316 Checks for HOME_NET.  Not good!

Aggregate as much as you can.  If you can't, then aggragate as much as you
can into one .conf and split out into other .confs as needed.

Good luck!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users