[Snort-devel] How is the network mask used in the detection engine?

Salvo Danilo Giuffrida salvodanilogiuffrida at ...2499...
Mon Jun 16 05:13:57 EDT 2008

Hello, I studied the way that, once a packet is read from the network
interface, its fields are used to match one or more rules. It seems to
me that the network mask portion (in CIDR format) of each rule is not
taken into account, in fact, there is no field for it in the 'Rule'
struct (and there is none in the 'Packet' struct either). So, is it
only used to group IPs, like
If a packet from the subnet arrives, and there is a rule
for the subnet, is it matched against it? My feeling is
that it isn't, because the 1st subnetwork contains more IPs than the
2nd, IPs that could not be matched by the 256 ones in the
subnet...But in any case, it seems that a rule like

alert any -> any

is functionally equivalent to

alert any -> any

Or not? Maybe the 2nd one will be triggered also if a packet from, or any other of the 256 IPs of that subnet, goes to
Thanks a lot

More information about the Snort-devel mailing list