[Emerging-Sigs] Potential BPF File Limitations?

Joel Esler jesler at sourcefire.com
Thu Oct 13 17:32:43 EDT 2011


On Oct 13, 2011, at 5:23 PM, Korodev wrote:

>> Blacklist -- If you are inline, will drop.
>> Whitelist -- will not pass the traffic from the IPs into the detection engine.  Essentially bypassing all inspection.
> 
> If you're not running Snort inline, can you still use Blacklist, and
> if so, will inspection also be bypassed, essentially doing the same
> thing as Whitelist?
> 
I don't know, don't think I've ever tried to use blacklist not-inline. I would test it, but unfortunately, right this second, on my second monitor I'm reading code..  So I can't test it right now.  But it shouldn't be hard for you to test.


> Besides not needing to restart Snort, are you aware of any other
> (memory?) advantages to dumping large IP's here for whitelisting as
> opposed to using BPF filters?

BPF filter should be ultimately faster, as the IPs will never enter the engine in the first place, however, whitelisting takes place at the first stage of Snort, so it'll still be very fast.  It's a lot easier to maintain a whitelist file as well.  It depends on how much memory you have on your box, as to how many IPs you can load, (RAM, x64, etc).  But loading several Million IPs can be done simply.

<goes back to reading code>

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


More information about the Emerging-sigs mailing list