[Snort-users] using full ip address

Vitaly McLain twistah at ...93...
Wed Oct 11 20:47:55 EDT 2000


Hi,

> Hi
>
> What are the ramifications to using
> var HOME_NET 172.18.20.54/24

If you are talking about a single IP address, it would be /32, not /24. Or
am I misunderstanding what you are trying to do?

> rather than
>
> var HOME_NET 172.18.20.0/24

Using 172.18.20.54/32 would mean Snort would only show alerts for that IP
address. Using 172.18.20.0/24 would mean Snort would log alerts for the
whole 172.18.120.x subnet. Set HOME_NET to monitor whatever you need.


> This goes back to the thread of using
> ifconfig to determine the subnet address.
> to simplify deploying snort.

This is possible through shell scripting. The address_config.sh script at
www.snort.org works great.
You said "subnet address" and I am taking that to mean "IP address", so I
could be misunderstanding you.

Vitaly McLain
twistah at ...93...






More information about the Snort-users mailing list