Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HELP on configuration

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 06 Feb 2002 14:03:47 -0500
try specifying a mask size... if it is a single host the mask is /32 like this:

var INFN_AFS_SERVERS [141.108.3.252/32]
I suspect your first variable only works because of a implementation issue where such formatting happens when specifying multiple IPs, but as best I know, this is bad form in snort. Every sample rule has a /32 netmask for single IPs, so I'd assume this is the expected input format and specifying an IP address without one is invalid input.
section 2.2.3 of the "writing snort rules" guide even specifically says you need a CIDR type netmask:
"The addresses are formed by a straight numeric IP address and a CIDR[,] block. The CIDR block indicates the netmask that should be applied to the rule's address and any incoming packets that are tested against the rule. A CIDR block mask of /24 indicates a Class C network, /16 a Class B network, and /32 indicates a specific machine address." 

http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.3


At 03:13 PM 2/6/2002 +0100, Enrico M.V. Fasanelli wrote:


Dear all,

In particular:
var LE_AFS_SERVERS [192.84.152.68,192.84.152.37,192.84.152.83,192.84.152.148,192.84.152.100] 
   var INFN_AFS_SERVERS [141.108.3.252]



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: