Re: IP Range Problems

[Rich Adamson <radamson () routers com>]

> Actually, I would not even recommend that. I like the original /22 and /24
> answer, especially since one would also want to look at Network (10.5.0.0) and
> Broadcast (10.5.4.255) probes and DoS attacks. I imagine the poster was not
> being quite literal. It would be a mistake to leave those out.
<cut>
> var HOME_NET
> [10.5.0.1/32,10.5.0.2/31,10.5.0.4/30,10.5.0.8/29,10.5.0.16/28,10.5.0.32/27,10.5.0.64/26,10.5.0.128
/25,10.5.1.0/24,10.5.2.0/23,10.5.4.0/25,10.5.4.128/26,10.5.4.192/27,10.5.4.224/28,10.5.4.240/29,10.
5.4.248/30,10.5.4.252/31,10.5.4.254/32]

I think we've pretty much beat this one to death, but there is one more small
consideration. 

The /22 definition assumes contigous addresses from bottom to top with a 
"single" broadcast address.

If the original poster is using individual class-b definitions within his
network (eg, servers, routers, etc), then the snort definitions should 
follow those existing definitions.

One "could" specify a very large number of CIDR combinations that would
include the adjacent IP addresses, but technically he should be using his
"real" addressing scheme. Without knowing his exact implementation, many
of the posted responses could be either right on, or wrong.

Rich




-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users