[Snort-users] non-CIDR address masking in rules?

Glenn Forbes Fleming Larratt glratt at ...604...
Mon Nov 5 15:00:01 EST 2001


Is there a way to use address/mask pairs explicitly in a rule, rather than
CIDR notation? Particularly, does snort have the capability to understand
address/mask pairs that *don't* simplify to CIDR notation, eg:

	172.16.4.0 0.0.8.255 => 172.16.4.0/24 or 172.16.12.0/24

or

	172.16.0.250 0.0.255.15 => anything in 172.16.0.0/16 with a last
					octet > 239

?

	-g


				Glenn Forbes Fleming Larratt
				Rice University Network Management
				glratt at ...604...





More information about the Snort-users mailing list