[Emerging-Sigs] Potential BPF File Limitations?

Korodev korodev at gmail.com
Thu Oct 13 13:00:27 EDT 2011


>From what I've read, the new reputation preprocessors SF has
introduced will fire off an event when it sees a whitelisted or
blacklisted IP, but I'm unclear as to what happens after that. Is
Snort done with the packet at that point, or does it continue on
through rule inspection?

\\korodev



On Thu, Oct 13, 2011 at 11:10 AM, Martin Holste <mcholste at gmail.com> wrote:
> Snort 2.9.1.1 introduced the socket you can write to which will
> dynamically change the black and whitelists, which looks like it will
> help you (http://manual.snort.org/node16.html#SECTION003219000000000000000).
>  What is unclear is whether or not a whitelist means you will not
> alert on that traffic or not.  Joel, can you clarify?
>
> On Thu, Oct 13, 2011 at 8:54 AM, Korodev <korodev at gmail.com> wrote:
>> I'm in a situation where I need to efficiently tell Snort to ignore a
>> large dynamic list of IPs similar to a whitelist scenario. I'm
>> currently using BPF filters in a file, but after seeing Eoin's RBN
>> trickery, I was wondering if there might be any performance
>> differences in building these as ipvars and negating then from my
>> external ipvar.
>>
>> I'm thinking that BPF filters are still probably the best route here,
>> since processing occurs much earlier in the process, but I'm worried
>> about how it will scale as the BPF file grows. Should I be worried
>> about this?
>>
>> \\korodev
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>>
>


More information about the Emerging-sigs mailing list