[Snort-users] re: tcpdump expression

Roelof JT Jonkman roel at ...155...
Fri Nov 9 19:56:02 EST 2001


Just got home, running snort 1.8.1 with libpcap 0.4.1, however I tried
on one of the other machines, which has 1.8.2 with libpcap 0.6.2, and
no worky... Nothing I tried sofar... I'll try to figure this out, looks
like a bug of some sort in the latest version of pcap.
I suspect something like the following is the case:

the last two significant octetis of the network are 88.0, this is in
binary the following:

0101 1000 . 0000 . 0000
The problem it's bitchin about is that marked bit (^) is set and is within
the mask, /20 (|) that is, so the last 12 bits are insignificant. Now I'm
not sure if the network number is valid from a CIDR standpoint right of
the top of my head. (Just for jollies try and see it

I'll dig some more after dinner, and get back to you


More information about the Snort-users mailing list