[Snort-devel] Re: [Snort-users] Multiple IP address matching

James Hoagland hoagland at ...60...
Mon Sep 25 12:17:35 EDT 2000


At 1:55 AM -0400 9/24/00, Martin Roesch wrote:
>...
>For the record, I actually made a stab at implementing this whole address list
>system a long time ago and had to ditch it because (at the time) it was too
>much work to modify the IP address checking functions and I was worried about
>the speed.  This may even have been pre-1.3 code, so it was a big deal back
>then. :)

Forgot to include my code that uses the multiple subnets before ...

skip_packet= 1; /* skip unless is in a homenet */
for (home= homelist; home != NULL; home=home->next) {
   if ((p->iph->ip_dst.s_addr & home->netmask) == home->netaddr) {
     skip_packet= 0;
     break;
   }
}

This doesn't seem that bad to me in terms of efficiency.

-- Jim
-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...60...                *|
|*  Voice: (707) 445-4355 x13          Fax: (707) 445-4222  *|



More information about the Snort-devel mailing list