Snort mailing list archives

Re: IP Range Problems


From: "Marc Quibell" <mquibell () fbfs com>
Date: Wed, 9 Jul 2003 09:59:17 -0500




Actually, I would not even recommend that. I like the original /22 and /24
answer, especially since one would also want to look at Network (10.5.0.0) and
Broadcast (10.5.4.255) probes and DoS attacks. I imagine the poster was not
being quite literal. It would be a mistake to leave those out.


Message: 1
Date: Tue, 8 Jul 2003 16:03:44 -0400
From: Brian <bmc () snort org>
To: "Nelson, Ben" <bnelson () rightnow com>
Cc: Ryan Vennell <rvennell () dbu edu>,
  snort-users () lists sourceforge net
Subject: Re: [Snort-users] IP Range Problems

On Tue, Jul 08, 2003 at 11:58:11AM -0600, Nelson, Ben wrote:
i want snort to look at the ip range of 10.5.0.1 - 10.5.4.254 but i cant
figure out how to input this into the ip list.  how do i put that into
the var HOME_NET list?  thanks for any help

var HOME_NET [10.5.0.0/22,10.5.4.0/24]

technically, thats not correct.  You would also look at 10.5.0.0 and
10.5.4.255 which don't fit in the range specified.  For the most part,
that will work, but if you want to be exact, you need:

var HOME_NET
[10.5.0.1/32,10.5.0.2/31,10.5.0.4/30,10.5.0.8/29,10.5.0.16/28,10.5.0.32/27,10.5.0.64/26,10.5.0.128/25,10.5.1.0/24,10.5.2.0/23,10.5.4.0/25,10.5.4.128/26,10.5.4.192/27,10.5.4.224/28,10.5.4.240/29,10.5.4.248/30,10.5.4.252/31,10.5.4.254/32]


aggregate is your friend.  (echo 10.5.0.1 - 10.5.4.254 | aggregate -i range)

-brian




-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


Current thread: