[Snort-users] HELP on configuration
mkettler at ...4108...
Wed Feb 6 11:05:03 EST 2002
try specifying a mask size... if it is a single host the mask is /32 like this:
var INFN_AFS_SERVERS [184.108.40.206/32]
I suspect your first variable only works because of a implementation issue
where such formatting happens when specifying multiple IPs, but as best I
know, this is bad form in snort. Every sample rule has a /32 netmask for
single IPs, so I'd assume this is the expected input format and specifying
an IP address without one is invalid input.
section 2.2.3 of the "writing snort rules" guide even specifically says you
need a CIDR type netmask:
"The addresses are formed by a straight numeric IP address and a CIDR[,]
block. The CIDR block indicates the netmask that should be applied to the
rule's address and any incoming packets that are tested against the rule. A
CIDR block mask of /24 indicates a Class C network, /16 a Class B network,
and /32 indicates a specific machine address."
At 03:13 PM 2/6/2002 +0100, Enrico M.V. Fasanelli wrote:
> var LE_AFS_SERVERS
> var INFN_AFS_SERVERS [220.127.116.11]
More information about the Snort-users