Snort mailing list archives

Re: VAR and IP lists

From: "Subba Rao" <sailorn () attglobal net>
Date: Sat, 30 Mar 2002 17:48:18 -0500


----- Original Message -----
From: "Erek Adams" <erek () theadamsfamily net>
To: "Subba Rao" <sailorn () attglobal net>
Cc: <snort-users () lists sourceforge net>
Sent: Saturday, March 30, 2002 12:08 PM
Subject: Re: [Snort-users] VAR and IP lists

On Sat, 30 Mar 2002, Subba Rao wrote:

I have declared a variable for a list of addresses that I wanted to

ignore.

(The list is much longer than what I have listed here)

var SVCS 10.11.10.11 10.11.10.12 10.11.10.13
var SVCS2 10.11.10.30 10.11.10.40 10.11.10.50


Ignore in what way?


Some of the packets for the hosts in the VAR list (ex: 10.11.10.12) would
still
get alerted.

Snort starts up fine without complaining. It does however miss some of

these

IP addresses in the rules.

What is the correct syntax for declaring variables with list of IP
addresses? I used the example from Snort manual.


At this time, it depends on the processor that you are sending it to.

Some

use whitespace delimted, some use the [x.x.x.x/Y,z.z.z.z/Y] format.


I am assuming you mean the preprocessor. The hosts in these VAR lists do not
have any preprocessor related activities.

What is the limit of IP addresses that can be assigned to a variable? I

had

to chop the IP addresses after 70 and create a new variable. (I was

trying

to assign 300 IP addresses to a variable and Snort did not like that.) I

did

not look for the IP address threshold for the variable but randomly

picked

70 as the limit.


I'm going to guess that you are trying to ignore portscans from these

servers.

I would suggest using a BPF filter and a CIDR netmask instead of a long

list

of vars.  IOW, 10.11.10.0/24,


As for portscans, I have included my routers in another large VAR list and
seems
to work well. However, I would like to know how do you deal with the same
issue (portscans)
using BPF filters.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

VAR and IP lists Subba Rao (Mar 30)
- Re: VAR and IP lists Mike Macias (Mar 30)
- Re: VAR and IP lists Erek Adams (Mar 30)
  - Re: VAR and IP lists Subba Rao (Mar 30)
    - Re: VAR and IP lists Erek Adams (Mar 30)