[Snort-users] IP Range Problems

Hutchinson, Andrew andrew.hutchinson at ...759...
Wed Jul 9 05:08:07 EDT 2003


Actually, the answer that Ben and I each posted
(10.5.0.0/22,10.5.4.0/24) AND the answer that Brian posted were both
right.  It's just that Ben and I answered what we thought that the
posted *meant* to say, while Brian actually answered correctly given
what the user *did* say.  As Brian pointed out, the notation above
covers 2 IP's (10.5.0.0/32 and 10.5.4.255/32) that the user did not
include in his range (which was listed as 10.5.0.1-10.5.4.254).  I just
assumed that the user wanted to look at 5 class B's in their entirety,
even though that's not technically what he said.

So we're all right, and can all bask in the warm glow of correctness.
:-)

Andrew Hutchinson - Network Security
Vanderbilt University Medical Center
(615) 936-2856


> -----Original Message-----
> From: Bryan Irvine [mailto:bryan.irvine at ...9066...] 
> Sent: Tuesday, July 08, 2003 3:47 PM
> To: Brian
> Cc: Nelson, Ben; Ryan Vennell; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] IP Range Problems
> 
> 
> uhhh no.  Ben had it right.  With a subnet mask of /22 that covers
> 10.5.0.0-10.5.3.255  and then the /24 covers 
> 10.5.4.0-10.5.4.255.  There
> is no point to writing them all out like that, especially with the /32
> why add in a NET for a single ip?
> 
> That is an odd range of ip's though, it doesn't fit in well with CIDR
> style notation.  is this 1 network with a netmask of 255.255.251.0??? 
> strange....
> 
> 10.5.0.0/21.5-ish  ;-) 
> 
> Out of curiosity are these networks split across multiple interfaces?
> 
> --Bryan
> 
> On Tue, 2003-07-08 at 13:03, Brian wrote:
> > On Tue, Jul 08, 2003 at 11:58:11AM -0600, Nelson, Ben wrote:
> > >> i want snort to look at the ip range of 10.5.0.1 - 
> 10.5.4.254 but i cant
> > >> figure out how to input this into the ip list.  how do i 
> put that into
> > >> the var HOME_NET list?  thanks for any help
> > >
> > > var HOME_NET [10.5.0.0/22,10.5.4.0/24]
> > 
> > technically, thats not correct.  You would also look at 
> 10.5.0.0 and 
> > 10.5.4.255 which don't fit in the range specified.  For the 
> most part,
> > that will work, but if you want to be exact, you need:
> > 
> > var HOME_NET 
> [10.5.0.1/32,10.5.0.2/31,10.5.0.4/30,10.5.0.8/29,10.5.0.16/28,
> 10.5.0.32/27,10.5.0.64/26,10.5.0.128/25,10.5.1.0/24,10.5.2.0/2
> 3,10.5.4.0/25,10.5.4.128/26,10.5.4.192/27,10.5.4.224/28,10.5.4
> .240/29,10.5.4.248/30,10.5.4.252/31,10.5.4.254/32]
> > 
> > aggregate is your friend.  (echo 10.5.0.1 - 10.5.4.254 | 
> aggregate -i range)
> > 
> > -brian
> > 
> > 
> > -------------------------------------------------------
> > This SF.Net email sponsored by: Parasoft
> > Error proof Web apps, automate testing & more.
> > Download & eval WebKing and get a free book.
> > www.parasoft.com/bulletproofapps
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by: Parasoft
> Error proof Web apps, automate testing & more.
> Download & eval WebKing and get a free book.
> www.parasoft.com/bulletproofapps
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list