[Emerging-Sigs] Potential BPF File Limitations?

Jason Brvenik jason at sourcefire.com
Thu Oct 13 18:06:45 EDT 2011

On Thu, Oct 13, 2011 at 5:32 PM, Joel Esler <jesler at sourcefire.com> wrote:
> On Oct 13, 2011, at 5:23 PM, Korodev wrote:
>>> Blacklist -- If you are inline, will drop.
>>> Whitelist -- will not pass the traffic from the IPs into the detection engine.  Essentially bypassing all inspection.
>> If you're not running Snort inline, can you still use Blacklist, and
>> if so, will inspection also be bypassed, essentially doing the same
>> thing as Whitelist?
> I don't know, don't think I've ever tried to use blacklist not-inline. I would test it, but unfortunately, right this second, on my second monitor I'm reading code..  So I can't test it right now.  But it shouldn't be hard for you to test.
>> Besides not needing to restart Snort, are you aware of any other
>> (memory?) advantages to dumping large IP's here for whitelisting as
>> opposed to using BPF filters?
> BPF filter should be ultimately faster, as the IPs will never enter the engine in the first place, however, whitelisting takes place at the first stage of Snort, so it'll still be very fast.  It's a lot easier to maintain a whitelist file as well.  It depends on how much memory you have on your box, as to how many IPs you can load, (RAM, x64, etc).  But loading several Million IPs can be done simply.

IIRC BPF is an exponential performance hit because it does a byte
search of each packet against the BPF.

> <goes back to reading code>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

More information about the Emerging-sigs mailing list