[Snort-users] HELP on configuration

Matt Kettler mkettler at ...4108...
Wed Feb 6 11:05:03 EST 2002


try specifying a mask size... if it is a single host the mask is /32 like this:

var INFN_AFS_SERVERS [141.108.3.252/32]

I suspect your first variable only works because of a implementation issue 
where such formatting happens when specifying multiple IPs, but as best I 
know, this is bad form in snort. Every sample rule has a /32 netmask for 
single IPs, so I'd assume this is the expected input format and specifying 
an IP address without one is invalid input.

section 2.2.3 of the "writing snort rules" guide even specifically says you 
need a CIDR type netmask:

"The addresses are formed by a straight numeric IP address and a CIDR[,] 
block. The CIDR block indicates the netmask that should be applied to the 
rule's address and any incoming packets that are tested against the rule. A 
CIDR block mask of /24 indicates a Class C network, /16 a Class B network, 
and /32 indicates a specific machine address."

http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.3


At 03:13 PM 2/6/2002 +0100, Enrico M.V. Fasanelli wrote:

>Dear all,
>
>In particular:
>
>    var LE_AFS_SERVERS 
> [192.84.152.68,192.84.152.37,192.84.152.83,192.84.152.148,192.84.152.100]
>    var INFN_AFS_SERVERS [141.108.3.252]





More information about the Snort-users mailing list