[Discussion] Large number of IP's to monitor

• Previous message (by thread): [Discussion] Large number of IP's to monitor
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 03/22/2012 04:10 PM, Geert Alberghs wrote:
> Hello,
> 
> We are running Suricata 1.2.1 and want to scan packets for a large set
> of IP's. (our .rules file contains almost 100 000 entries, one for each IP) 
> 
> Creation of the new sid-msg.map works out fine. When restarting suricata
> it starts filling up the SWAP after a while and it is automatically killed.
> 
> Is there some kind of preprocessor that can be used to filter on IP's?
> 
> Thanks for wanting to help us.

Can you post an example of a rule? Suricata treats "ip only" rules
differently, but for a rule to be considered to be "ip only" one a
select subset of keywords can be used.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

• Previous message (by thread): [Discussion] Large number of IP's to monitor
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]