[Snort-devel] How is the network mask used in the detection engine?

Steven Sturges steve.sturges at ...402...
Mon Jun 16 10:53:54 EDT 2008

Hi Salvo--

For a rule, the network information is stored in the RuleTreeNode
structure (see rtn), and is checked in fpEvalRTN.


Salvo Danilo Giuffrida wrote:
> Hello, I studied the way that, once a packet is read from the network
> interface, its fields are used to match one or more rules. It seems to
> me that the network mask portion (in CIDR format) of each rule is not
> taken into account, in fact, there is no field for it in the 'Rule'
> struct (and there is none in the 'Packet' struct either). So, is it
> only used to group IPs, like
> If a packet from the subnet arrives, and there is a rule
> for the subnet, is it matched against it? My feeling is
> that it isn't, because the 1st subnetwork contains more IPs than the
> 2nd, IPs that could not be matched by the 256 ones in the
> subnet...But in any case, it seems that a rule like
> alert any -> any
> is functionally equivalent to
> alert any -> any
> Or not? Maybe the 2nd one will be triggered also if a packet from
>, or any other of the 256 IPs of that subnet, goes to
> Thanks a lot
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

More information about the Snort-devel mailing list