[Snort-users] non-CIDR address masking in rules?
Andrew R. Baker
andrewb at ...950...
Tue Nov 6 23:46:02 EST 2001
Glenn Forbes Fleming Larratt wrote:
> Is there a way to use address/mask pairs explicitly in a rule, rather than
> CIDR notation? Particularly, does snort have the capability to understand
> address/mask pairs that *don't* simplify to CIDR notation, eg:
> 172.16.4.0 0.0.8.255 => 172.16.4.0/24 or 172.16.12.0/24
> 172.16.0.250 0.0.255.15 => anything in 172.16.0.0/16 with a last
> octet > 239
Yes snort understands non CIDR netmasks, instead of specifying a CIDR
block, just use a regular netmask. Although I think you have your bits
flipped on your netmasks. For exampe you could use
172.16.0.250/255.255.0.255 to match all hosts in the 172.16.0.0/16
netblock with a final octet of 250.
More information about the Snort-users