[Emerging-Sigs] Potential BPF File Limitations?

Martin Holste mcholste at gmail.com
Thu Oct 13 12:10:59 EDT 2011


Snort 2.9.1.1 introduced the socket you can write to which will
dynamically change the black and whitelists, which looks like it will
help you (http://manual.snort.org/node16.html#SECTION003219000000000000000).
 What is unclear is whether or not a whitelist means you will not
alert on that traffic or not.  Joel, can you clarify?

On Thu, Oct 13, 2011 at 8:54 AM, Korodev <korodev at gmail.com> wrote:
> I'm in a situation where I need to efficiently tell Snort to ignore a
> large dynamic list of IPs similar to a whitelist scenario. I'm
> currently using BPF filters in a file, but after seeing Eoin's RBN
> trickery, I was wondering if there might be any performance
> differences in building these as ipvars and negating then from my
> external ipvar.
>
> I'm thinking that BPF filters are still probably the best route here,
> since processing occurs much earlier in the process, but I'm worried
> about how it will scale as the BPF file grows. Should I be worried
> about this?
>
> \\korodev
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>


More information about the Emerging-sigs mailing list