-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Maurizio,
- --On August 7, 2007 19:06:19 +0100 Maurizio Molina <[EMAIL PROTECTED]> wrote: | Hi, | has anybody experience in setting up in NfSen profiles using as filter large sets | of IP addresses, like for example the following ones, listing known IRC C&C servers? | | http://www.bleedingthreats.net/rules/bleeding-botcc.rules | http://www.bleedingthreats.net/rules/bleeding-botcc-BLOCK.rules | | if yes, can you report any performance issue with that? Yes - we do. You can easily filter thousands of hosts in a profile, but you need that to do with IP lists, means the filer syntax is: ip in [ 1.2.3.4 2.3.4.5 3.4.5.6 ...] and so on. You must not use ip 1.2.3.4 or ip 2.3.4.5 or .... IP lists use binary search tree internally, the later are linear lists. On beefy machines the linear search is fine too for moderate number of flows - few millions, but IP lists are implemented exactly for large scale IP filtering. - Peter | Regards, | Maurizio | | | | ------------------------------------------------------------------------- | This SF.net email is sponsored by: Splunk Inc. | Still grepping through log files to find problems? Stop. | Now Search log events and configuration files using AJAX and a browser. | Download your FREE copy of Splunk now >> http://get.splunk.com/ | _______________________________________________ | Nfsen-discuss mailing list | [email protected] | https://lists.sourceforge.net/lists/listinfo/nfsen-discuss - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iQCVAwUBRrll9v5AbZRALNr/AQL/6QP/UHS1GdiMinKuB3nWarX3+nDMiIErQa4o TfPyh+hYS99hb3F8oRLRfQddrilRQ7lmPZooPhsfcnYiCE5hVaqpVwRIm0ZsxLmz s+dzk2CJIW0GKAaUdvRk2rBeO/oELRbn49zIcp8aonvixBVahR55yEyO1xn4x711 YHeoFsI0TKw= =655b -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
