[Emerging-Sigs] Potential BPF File Limitations?

Korodev korodev at gmail.com
Thu Oct 13 17:23:45 EDT 2011


> Blacklist -- If you are inline, will drop.
> Whitelist -- will not pass the traffic from the IPs into the detection engine.  Essentially bypassing all inspection.

If you're not running Snort inline, can you still use Blacklist, and
if so, will inspection also be bypassed, essentially doing the same
thing as Whitelist?

Besides not needing to restart Snort, are you aware of any other
(memory?) advantages to dumping large IP's here for whitelisting as
opposed to using BPF filters?

Not trying to be persnickety..I promise :)

\\korodev


More information about the Emerging-sigs mailing list