[Snort-users] ip ranges?

Edwin Eefting edwin at ...2758...
Tue Oct 23 01:09:06 EDT 2001


Why won't this work:

var HOME_NET [213.136.0.0/19,!213.136.3.0/24]

Our homenet should be 213.136.0.0/19, except 213.136.3.0/24 which are dialup
accounts. (and they generate a lot of alert!)
I've written a perlscript to generate something like this:

var HOME_NET
[213.136.0.0/24,213.136.1.0/24,213.136.2.0/24,213.136.4.0/24,213.136.5.0/24,213
.136.6.0/24,213.136.7.0/24,213.136.8.0/24,213.136.9.0/24,213.136.10.0/24,213.13
6.11.0/24,213.136.12.0/24,213.136.13.0/24,213.136.14.0/24,213.136.15.0/24,213.1
36.16.0/24,213.136.17.0/24,213.136.18.0/24,213.136.19.0/24,213.136.20.0/24,213.
136.21.0/24,213.136.22.0/24,213.136.23.0/24,213.136.24.0/24,213.136.25.0/24,213
.136.26.0/24,213.136.27.0/24,213.136.28.0/24,213.136.29.0/24,213.136.30.0/24,21
3.136.31.0/24]

Pretty eh? ;-)
But this seems to use a lot of cpu time. (guess it has to evaluate a lot more
ips with every rule)

What's a nicer solution?
Edwin

--			      __________________
			     /\ ___/	      
Edwin Eefting		    /- \ _/  Business Internet Trends BV
			   /--- \/	     __________________






More information about the Snort-users mailing list