Snort mailing list archives

RE: IP Range Problems

From: "Hutchinson, Andrew" <andrew.hutchinson () Vanderbilt Edu>
Date: Wed, 9 Jul 2003 07:07:12 -0500

Actually, the answer that Ben and I each posted
(10.5.0.0/22,10.5.4.0/24) AND the answer that Brian posted were both
right.  It's just that Ben and I answered what we thought that the
posted *meant* to say, while Brian actually answered correctly given
what the user *did* say.  As Brian pointed out, the notation above
covers 2 IP's (10.5.0.0/32 and 10.5.4.255/32) that the user did not
include in his range (which was listed as 10.5.0.1-10.5.4.254).  I just
assumed that the user wanted to look at 5 class B's in their entirety,
even though that's not technically what he said.

So we're all right, and can all bask in the warm glow of correctness.
:-)

Andrew Hutchinson - Network Security
Vanderbilt University Medical Center
(615) 936-2856

-----Original Message-----
From: Bryan Irvine [mailto:bryan.irvine () kingcountyjournal com] 
Sent: Tuesday, July 08, 2003 3:47 PM
To: Brian
Cc: Nelson, Ben; Ryan Vennell; snort-users () lists sourceforge net
Subject: Re: [Snort-users] IP Range Problems

uhhh no.  Ben had it right.  With a subnet mask of /22 that covers
10.5.0.0-10.5.3.255  and then the /24 covers 
10.5.4.0-10.5.4.255.  There
is no point to writing them all out like that, especially with the /32
why add in a NET for a single ip?

That is an odd range of ip's though, it doesn't fit in well with CIDR
style notation.  is this 1 network with a netmask of 255.255.251.0??? 
strange....

10.5.0.0/21.5-ish  ;-) 

Out of curiosity are these networks split across multiple interfaces?

--Bryan

On Tue, 2003-07-08 at 13:03, Brian wrote:

On Tue, Jul 08, 2003 at 11:58:11AM -0600, Nelson, Ben wrote:

i want snort to look at the ip range of 10.5.0.1 -

10.5.4.254 but i cant

figure out how to input this into the ip list.  how do i

put that into

the var HOME_NET list?  thanks for any help


var HOME_NET [10.5.0.0/22,10.5.4.0/24]


technically, thats not correct.  You would also look at

10.5.0.0 and

10.5.4.255 which don't fit in the range specified.  For the

most part,

that will work, but if you want to be exact, you need:

var HOME_NET

[10.5.0.1/32,10.5.0.2/31,10.5.0.4/30,10.5.0.8/29,10.5.0.16/28,
10.5.0.32/27,10.5.0.64/26,10.5.0.128/25,10.5.1.0/24,10.5.2.0/2
3,10.5.4.0/25,10.5.4.128/26,10.5.4.192/27,10.5.4.224/28,10.5.4
.240/29,10.5.4.248/30,10.5.4.252/31,10.5.4.254/32]


aggregate is your friend.  (echo 10.5.0.1 - 10.5.4.254 |

aggregate -i range)


-brian


-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

IP Range Problems Ryan Vennell (Jul 08)
- <Possible follow-ups>
- RE: IP Range Problems Hutchinson, Andrew (Jul 08)
- RE: IP Range Problems Esler, Joel Contractor (Jul 08)
- Re: IP Range Problems James Nonya (Jul 08)
- RE: IP Range Problems Nelson, Ben (Jul 08)
  - Re: IP Range Problems Brian (Jul 08)
    - Re: IP Range Problems Bryan Irvine (Jul 08)
- RE: IP Range Problems Hutchinson, Andrew (Jul 09)
- Re: IP Range Problems Marc Quibell (Jul 09)
  - Re: IP Range Problems Rich Adamson (Jul 09)
- IP Range Problems Ryan Vennell (Aug 06)
  - Antwort: IP Range Problems m . stiefenhofer (Aug 06)
    - Re: Antwort: IP Range Problems Erek Adams (Aug 06)
  - Re: IP Range Problems lists (Aug 06)