Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CIDR notation question

From: Chris Green <cmg () sourcefire com>
Date: Mon, 14 Jul 2003 08:00:32 -0400
Rich Adamson <radamson () routers com> writes:


A couple of us are having a discuss off list.  Does anyone know (for a 
fact) how snort treats CIDR notation?

var HOME_NET [172.16.0.0/23] implies 512 addresses, one broadcast
address (172.16.1.255), and 172.16.0.255 is a valid device address.


Is there any code that would assume natural subnet masks, or, analyze
packets in such a way as to assume 172.16.0.255 is treated differently?


No.




Or, asking the question slightly different...
  is var HOME_NET [172.16.0.0/24,172.16.1.0/24]
    treated exactly the same as
  HOME_NET [172.16.0.0/23]
when packets are analyzed?



Functionally the same but there is no optimization phase for the IP
addresses that will determine when you could write a subnet more
consisely so the latter ends up being more efficient.
-- 
Chris Green <cmg () sourcefire com>
Let not the sands of time get in your lunch.


-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: