[Discussion] Non-combinatoric IP/port lists

• Previous message (by thread): [Discussion] Non-combinatoric IP/port lists
• Next message (by thread): [Discussion] Cooperative event loops (e.g., libevent) to support asynch I/O
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Martin Fong wrote:
> Matt Jonkman wrote:
> 
>> Martin, can you elaborate on this one? Not sure what you're getting at.
>>
>> Non-combinatoric IP/port lists
> 
> Currently, we have blacklist-based rules that look like
> 
>     alert tcp [$HOME_NET,!$DNS_SERVERS,!$SMTP_SERVERS] [!$HTTP_PORTS,25]
> -> [<long IP list>] ...
> 
> but clearly the IP/port pairing is combinatoric.  The problem is that
> the current rule syntax cannot succinctly express more precise sets of
> IP/port bindings without increasing the number of (implicitly
> duplicated) rules.  

I like this suggestion...

> Alternatively I'd like to define some named
> IP/port set, and then reference it.  E.g.,
> 
>     alert tcp $MY_IP_PORT_BINDING -> [<long IP list>] ...

Interesting too.

Again, something to consider for the configuration & rules syntax...

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

• Previous message (by thread): [Discussion] Non-combinatoric IP/port lists
• Next message (by thread): [Discussion] Cooperative event loops (e.g., libevent) to support asynch I/O
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]