[Snort-devel] How is the network mask used in the detection engine?
Salvo Danilo Giuffrida
salvodanilogiuffrida at ...2499...
Mon Jun 16 05:13:57 EDT 2008
Hello, I studied the way that, once a packet is read from the network
interface, its fields are used to match one or more rules. It seems to
me that the network mask portion (in CIDR format) of each rule is not
taken into account, in fact, there is no field for it in the 'Rule'
struct (and there is none in the 'Packet' struct either). So, is it
only used to group IPs, like 10.0.0.0/24?
If a packet from the subnet 10.0.0.0/24 arrives, and there is a rule
for the subnet 10.0.0.0/8, is it matched against it? My feeling is
that it isn't, because the 1st subnetwork contains more IPs than the
2nd, IPs that could not be matched by the 256 ones in the 10.0.0.0/8
subnet...But in any case, it seems that a rule like
alert 10.0.0.3 any -> 18.104.22.168 any
is functionally equivalent to
alert 10.0.0.0/8 any -> 22.214.171.124 any
Or not? Maybe the 2nd one will be triggered also if a packet from
10.0.0.4, or any other of the 256 IPs of that subnet, goes to
Thanks a lot
More information about the Snort-devel