[Snort-users] re: tcpdump expression

Roelof JT Jonkman roel at ...155...
Fri Nov 9 19:56:02 EST 2001


Greg,

Just got home, running snort 1.8.1 with libpcap 0.4.1, however I tried
on one of the other machines, which has 1.8.2 with libpcap 0.6.2, and
no worky... Nothing I tried sofar... I'll try to figure this out, looks
like a bug of some sort in the latest version of pcap.
I suspect something like the following is the case:

the last two significant octetis of the network are 88.0, this is in
binary the following:

0101 1000 . 0000 . 0000
     ^
    |
The problem it's bitchin about is that marked bit (^) is set and is within
the mask, /20 (|) that is, so the last 12 bits are insignificant. Now I'm
not sure if the network number is valid from a CIDR standpoint right of
the top of my head. (Just for jollies try 134.117.80.0/20 and see it
work.) 

I'll dig some more after dinner, and get back to you

		
			roel






More information about the Snort-users mailing list