Hi, Well, we use a plugin that aggregates all data of the last 5 minutes on srcip,dstip,dstport and checks every dstip,dstport combination against our botnet list and report the srcip. I think this is a bit different than your sittuation but it might be comparable. Our list contains about 460 known botnet-controllers and the plugin takes on average 2 minutes (with variations of at most 10 seconds).
Werner. Maurizio Molina wrote: > Hi, > has anybody experience in setting up in NfSen profiles using as filter large > sets of IP addresses, like for example the following ones, listing known IRC > C&C servers? > > http://www.bleedingthreats.net/rules/bleeding-botcc.rules > http://www.bleedingthreats.net/rules/bleeding-botcc-BLOCK.rules > > if yes, can you report any performance issue with that? > Regards, > Maurizio > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Nfsen-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
