[Snort-users] single ip address

Erek Adams erek at ...577...
Thu Feb 21 17:41:04 EST 2002


On Thu, 21 Feb 2002, Scott Taylor wrote:

>   I'm having a hard time finding info on
> applying rules to a single IP addy. For instance
> if I want to ignore a single IP address what
> would the pass rule look like?
>
> pass tcp 192.168.12.4 -> any any
>
> or do I need a /24 on the end of the IP?

Nope.  A /24 means an 256 addresses.  You want a /32.

CIDR  Subnet Mask       Subnets      Addresses       Available Hosts

/24 - 255.255.255.0   - 1 subnet   - 256 addresses - 254 available hosts
/25 - 255.255.255.128 - 2 subnets  - 128 addresses - 126 available hosts
/26 - 255.255.255.192 - 4 subnets  - 64 addresses  - 62 available hosts
/27 - 255.255.255.224 - 8 subnets  - 32 addresses  - 30 available hosts
/28 - 255.255.255.240 - 16 subnets - 16 addresses  - 14 available hosts
/29 - 255.255.255.248 - 32 subnets - 8 addresses   - 6 available hosts
/30 - 255.255.255.252 - 64 subnets - 4 addresses   - 2 availabe hosts
/32 - 255.255.255.255 -            - 2 addresses   - 1 available host

> Would this work in the snort.conf under home_net?

CIDR Notation?  Sure.

> take 1 chug and kiss the person on your right.

Well, since that's my sleeping cat, I don't want to wake her, she might demand
petting.  ;-)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list