Snort mailing list archives

Re: non-CIDR address masking in rules?

From: "Andrew R. Baker" <andrewb () snort org>
Date: Tue, 06 Nov 2001 23:43:08 -0800

Glenn Forbes Fleming Larratt wrote:


Is there a way to use address/mask pairs explicitly in a rule, rather than
CIDR notation? Particularly, does snort have the capability to understand
address/mask pairs that *don't* simplify to CIDR notation, eg:

        172.16.4.0 0.0.8.255 => 172.16.4.0/24 or 172.16.12.0/24

or

        172.16.0.250 0.0.255.15 => anything in 172.16.0.0/16 with a last
                                        octet > 239

?


Yes snort understands non CIDR netmasks, instead of specifying a CIDR
block, just use a regular netmask.  Although I think you have your bits
flipped on your netmasks.  For exampe you could use
172.16.0.250/255.255.0.255 to match all hosts in the 172.16.0.0/16
netblock with a final octet of 250.

-A

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

non-CIDR address masking in rules? Glenn Forbes Fleming Larratt (Nov 05)
- Re: non-CIDR address masking in rules? Andrew R. Baker (Nov 06)