[Snort-users] non-CIDR address masking in rules?

Andrew R. Baker andrewb at ...950...
Tue Nov 6 23:46:02 EST 2001


Glenn Forbes Fleming Larratt wrote:
> 
> Is there a way to use address/mask pairs explicitly in a rule, rather than
> CIDR notation? Particularly, does snort have the capability to understand
> address/mask pairs that *don't* simplify to CIDR notation, eg:
> 
>         172.16.4.0 0.0.8.255 => 172.16.4.0/24 or 172.16.12.0/24
> 
> or
> 
>         172.16.0.250 0.0.255.15 => anything in 172.16.0.0/16 with a last
>                                         octet > 239
> 
> ?

Yes snort understands non CIDR netmasks, instead of specifying a CIDR
block, just use a regular netmask.  Although I think you have your bits
flipped on your netmasks.  For exampe you could use
172.16.0.250/255.255.0.255 to match all hosts in the 172.16.0.0/16
netblock with a final octet of 250.

-A




More information about the Snort-users mailing list