[Snort-users] Only monitor specified ip's

Erek Adams erek at ...577...
Wed Feb 13 12:51:21 EST 2002


On Wed, 13 Feb 2002, Glenn E. Bailey III wrote:

> I have looked through the docs & faq's for a while now and
> have come up w/nothing. Basically, I want Snort to ONLY monitor
> ip's I specify. Is this easily done without re-writing all the
> rules? I though this might work:
>
> var HOME_NET [10.0.0.1,10.0.0.2,10.0.0.3]
>
> but it doesn't seem to ..
>
> Any suggestions?

Yeppers.  Use CIDR notation.

 var HOME_NET [10.0.0.1/32,10.0.0.2/32,10.0.0.3/32]

CIDR  Subnet Mask       Subnets      Addresses       Available Hosts

/24 - 255.255.255.0   - 1 subnet   - 256 addresses - 254 available hosts
/25 - 255.255.255.128 - 2 subnets  - 128 addresses - 126 available hosts
/26 - 255.255.255.192 - 4 subnets  - 64 addresses  - 62 available hosts
/27 - 255.255.255.224 - 8 subnets  - 32 addresses  - 30 available hosts
/28 - 255.255.255.240 - 16 subnets - 16 addresses  - 14 available hosts
/29 - 255.255.255.248 - 32 subnets - 8 addresses   - 6 available hosts
/30 - 255.255.255.252 - 64 subnets - 4 addresses   - 2 available hosts
/32 - 255.255.255.255 - 128 subnets - 2 addresses  - 1 available host


Cheers.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list