[Snort-users] non-CIDR address masking in rules?

Andrew R. Baker andrewb at ...950...
Tue Nov 6 23:46:02 EST 2001

Glenn Forbes Fleming Larratt wrote:
> Is there a way to use address/mask pairs explicitly in a rule, rather than
> CIDR notation? Particularly, does snort have the capability to understand
> address/mask pairs that *don't* simplify to CIDR notation, eg:
> => or
> or
> => anything in with a last
>                                         octet > 239
> ?

Yes snort understands non CIDR netmasks, instead of specifying a CIDR
block, just use a regular netmask.  Although I think you have your bits
flipped on your netmasks.  For exampe you could use to match all hosts in the
netblock with a final octet of 250.


More information about the Snort-users mailing list