Snort mailing list archives
Re: How many IP addresses can a variable hold?
From: Erek Adams <erek () snort org>
Date: Fri, 24 Jan 2003 17:41:02 -0500 (EST)
On Fri, 24 Jan 2003, spy guy wrote:
In snort.conf, how many IP addresses can a variable hold? Will there be a performance impact if I have too many? (as in over 100)
I'm not sure on the max w/o checking the code. I'll look later tonight. As for performance: If you have any sort of traffic, it will be horrid. You _really_ should use CIDR notation and try to aggregate those IP's into useable subnets. Consider this: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "Evil Access"; content: "Outlook";) If HOME_NET is set as 10.10.10.0/24 it makes one check: Is this src ip inside of the 10.10.10.0/24 range? If it's set as '10.10.10.0, 10.10.10.1, 10.10.10.2, ... 10.10.10.255' then it has to check: Is this src ip 10.10.10.0 or 10.10.10.1 or ... and so on. Aggregate as much as you can, you'll save a lot of headaches, cpu cycles, and a lot of typing. :) ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How many IP addresses can a variable hold? spy guy (Jan 24)
- Re: How many IP addresses can a variable hold? Erek Adams (Jan 24)
- Re: How many IP addresses can a variable hold? Matt Kettler (Jan 24)