[Snort-devel] Re: "ERROR: Bad CIDR size [255], 1 to 32 please!" when using $_ADDRESS

James Hoagland hoagland at ...60...
Tue May 7 11:08:04 EDT 2002


Hello Brian,

The correct format for the Spade homenet specification is a space 
separated list of CIDRs.  It does not understand a '!'.

Something else to note is that we've come across problems before in 
using a variable in the configuration file to represent a space 
separated list.  In this case you'll just have to list the networks 
on the spade-homenet line itself.

Incidentally, spade-homenet tells Spade which networks you want it to 
"protect".  So you probably mean to give it $HOMENET, not 
$EXTERNAL_NET.

Developers- I think it would be useful to have a common facility for 
handling lists of networks that can be shared by the Snort signature 
code and different Snort plugins.  That way not everyone has to 
reinvent the wheel.  The interface to it would be pretty simple. 
Give it a specification of a (possibly non-contiguous) network in 
certain accepted formats and it returns an opaque pointer.  Another 
function takes this pointer and an IP address and returns whether the 
IP address is in the network.  Efficient handling for long lists of 
networks optional.  (Might not really be needed, I recently gave 
Spade over 1000 homenets and it didn't seem to slow down much.)

I know the functionality must already exist.  Not sure if a defined 
facility does though, it didn't find any when I wrote Spade initially.

Best regards,

   Jim
-- 
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...60..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|




More information about the Snort-devel mailing list