Snort mailing list archives
ip ranges?
From: "Edwin Eefting" <edwin () bit nl>
Date: 23 Oct 2001 10:15:08 CEST
Why won't this work:
var HOME_NET [213.136.0.0/19,!213.136.3.0/24]
Our homenet should be 213.136.0.0/19, except 213.136.3.0/24 which are dialup
accounts. (and they generate a lot of alert!)
I've written a perlscript to generate something like this:
var HOME_NET
[213.136.0.0/24,213.136.1.0/24,213.136.2.0/24,213.136.4.0/24,213.136.5.0/24,213
.136.6.0/24,213.136.7.0/24,213.136.8.0/24,213.136.9.0/24,213.136.10.0/24,213.13
6.11.0/24,213.136.12.0/24,213.136.13.0/24,213.136.14.0/24,213.136.15.0/24,213.1
36.16.0/24,213.136.17.0/24,213.136.18.0/24,213.136.19.0/24,213.136.20.0/24,213.
136.21.0/24,213.136.22.0/24,213.136.23.0/24,213.136.24.0/24,213.136.25.0/24,213
.136.26.0/24,213.136.27.0/24,213.136.28.0/24,213.136.29.0/24,213.136.30.0/24,21
3.136.31.0/24]
Pretty eh? ;-)
But this seems to use a lot of cpu time. (guess it has to evaluate a lot more
ips with every rule)
What's a nicer solution?
Edwin
-- __________________
/\ ___/
Edwin Eefting /- \ _/ Business Internet Trends BV
/--- \/ __________________
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- capturing a suspisous traffic stream phillip mawson (Oct 22)
- Re: capturing a suspisous traffic stream Martin Roesch (Oct 22)
- Re: capturing a suspisous traffic stream Stan Scalsky (Oct 22)
- Re: capturing a suspisous traffic stream Chris Green (Oct 22)
- ip ranges? Edwin Eefting (Oct 23)
- Message not available
- ip ranges & perfomance Edwin Eefting (Oct 23)
- Re: capturing a suspisous traffic stream Stan Scalsky (Oct 22)
- Re: capturing a suspisous traffic stream Martin Roesch (Oct 22)