Snort mailing list archives
Re: non-CIDR address masking in rules?
From: "Andrew R. Baker" <andrewb () snort org>
Date: Tue, 06 Nov 2001 23:43:08 -0800
Glenn Forbes Fleming Larratt wrote:
Is there a way to use address/mask pairs explicitly in a rule, rather than CIDR notation? Particularly, does snort have the capability to understand address/mask pairs that *don't* simplify to CIDR notation, eg: 172.16.4.0 0.0.8.255 => 172.16.4.0/24 or 172.16.12.0/24 or 172.16.0.250 0.0.255.15 => anything in 172.16.0.0/16 with a last octet > 239 ?
Yes snort understands non CIDR netmasks, instead of specifying a CIDR block, just use a regular netmask. Although I think you have your bits flipped on your netmasks. For exampe you could use 172.16.0.250/255.255.0.255 to match all hosts in the 172.16.0.0/16 netblock with a final octet of 250. -A _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- non-CIDR address masking in rules? Glenn Forbes Fleming Larratt (Nov 05)
- Re: non-CIDR address masking in rules? Andrew R. Baker (Nov 06)