[Snort-devel] How is the network mask used in the detection engine?

Steven Sturges steve.sturges at ...402...
Mon Jun 16 10:53:54 EDT 2008


Hi Salvo--

For a rule, the network information is stored in the RuleTreeNode
structure (see rtn), and is checked in fpEvalRTN.

Cheers
-steve

Salvo Danilo Giuffrida wrote:
> Hello, I studied the way that, once a packet is read from the network
> interface, its fields are used to match one or more rules. It seems to
> me that the network mask portion (in CIDR format) of each rule is not
> taken into account, in fact, there is no field for it in the 'Rule'
> struct (and there is none in the 'Packet' struct either). So, is it
> only used to group IPs, like 10.0.0.0/24?
> If a packet from the subnet 10.0.0.0/24 arrives, and there is a rule
> for the subnet 10.0.0.0/8, is it matched against it? My feeling is
> that it isn't, because the 1st subnetwork contains more IPs than the
> 2nd, IPs that could not be matched by the 256 ones in the 10.0.0.0/8
> subnet...But in any case, it seems that a rule like
> 
> alert 10.0.0.3 any -> 76.43.43.123 any
> 
> is functionally equivalent to
> 
> alert 10.0.0.0/8 any -> 76.43.43.123 any
> 
> Or not? Maybe the 2nd one will be triggered also if a packet from
> 10.0.0.4, or any other of the 256 IPs of that subnet, goes to
> 76.43.43.123?
> Thanks a lot
> 
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list