[Snort-devel] Re: "ERROR: Bad CIDR size , 1 to 32 please!" when using $_ADDRESS
hoagland at ...60...
Tue May 7 11:08:04 EDT 2002
The correct format for the Spade homenet specification is a space
separated list of CIDRs. It does not understand a '!'.
Something else to note is that we've come across problems before in
using a variable in the configuration file to represent a space
separated list. In this case you'll just have to list the networks
on the spade-homenet line itself.
Incidentally, spade-homenet tells Spade which networks you want it to
"protect". So you probably mean to give it $HOMENET, not
Developers- I think it would be useful to have a common facility for
handling lists of networks that can be shared by the Snort signature
code and different Snort plugins. That way not everyone has to
reinvent the wheel. The interface to it would be pretty simple.
Give it a specification of a (possibly non-contiguous) network in
certain accepted formats and it returns an opaque pointer. Another
function takes this pointer and an IP address and returns whether the
IP address is in the network. Efficient handling for long lists of
networks optional. (Might not really be needed, I recently gave
Spade over 1000 homenets and it didn't seem to slow down much.)
I know the functionality must already exist. Not sure if a defined
facility does though, it didn't find any when I wrote Spade initially.
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* --- Silicon Defense: IDS Solutions --- *|
|* hoagland at ...60..., http://www.silicondefense.com/ *|
|* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
More information about the Snort-devel