[Snort-users] IP Range Problems

Brian bmc at ...950...
Tue Jul 8 13:05:07 EDT 2003


On Tue, Jul 08, 2003 at 11:58:11AM -0600, Nelson, Ben wrote:
>> i want snort to look at the ip range of 10.5.0.1 - 10.5.4.254 but i cant
>> figure out how to input this into the ip list.  how do i put that into
>> the var HOME_NET list?  thanks for any help
>
> var HOME_NET [10.5.0.0/22,10.5.4.0/24]

technically, thats not correct.  You would also look at 10.5.0.0 and 
10.5.4.255 which don't fit in the range specified.  For the most part,
that will work, but if you want to be exact, you need:

var HOME_NET [10.5.0.1/32,10.5.0.2/31,10.5.0.4/30,10.5.0.8/29,10.5.0.16/28,10.5.0.32/27,10.5.0.64/26,10.5.0.128/25,10.5.1.0/24,10.5.2.0/23,10.5.4.0/25,10.5.4.128/26,10.5.4.192/27,10.5.4.224/28,10.5.4.240/29,10.5.4.248/30,10.5.4.252/31,10.5.4.254/32]

aggregate is your friend.  (echo 10.5.0.1 - 10.5.4.254 | aggregate -i range)

-brian




More information about the Snort-users mailing list