[Snort-devel] How is the network mask used in the detection engine?

Salvo Danilo Giuffrida salvodanilogiuffrida at ...2499...
Mon Jun 16 05:13:57 EDT 2008


Hello, I studied the way that, once a packet is read from the network
interface, its fields are used to match one or more rules. It seems to
me that the network mask portion (in CIDR format) of each rule is not
taken into account, in fact, there is no field for it in the 'Rule'
struct (and there is none in the 'Packet' struct either). So, is it
only used to group IPs, like 10.0.0.0/24?
If a packet from the subnet 10.0.0.0/24 arrives, and there is a rule
for the subnet 10.0.0.0/8, is it matched against it? My feeling is
that it isn't, because the 1st subnetwork contains more IPs than the
2nd, IPs that could not be matched by the 256 ones in the 10.0.0.0/8
subnet...But in any case, it seems that a rule like

alert 10.0.0.3 any -> 76.43.43.123 any

is functionally equivalent to

alert 10.0.0.0/8 any -> 76.43.43.123 any

Or not? Maybe the 2nd one will be triggered also if a packet from
10.0.0.4, or any other of the 256 IPs of that subnet, goes to
76.43.43.123?
Thanks a lot




More information about the Snort-devel mailing list