[Emerging-Sigs] Potential BPF File Limitations?

Korodev korodev at gmail.com
Thu Oct 13 09:54:59 EDT 2011


I'm in a situation where I need to efficiently tell Snort to ignore a
large dynamic list of IPs similar to a whitelist scenario. I'm
currently using BPF filters in a file, but after seeing Eoin's RBN
trickery, I was wondering if there might be any performance
differences in building these as ipvars and negating then from my
external ipvar.

I'm thinking that BPF filters are still probably the best route here,
since processing occurs much earlier in the process, but I'm worried
about how it will scale as the BPF file grows. Should I be worried
about this?

\\korodev


More information about the Emerging-sigs mailing list