[Snort-users] IP Range Problems
andrew.hutchinson at ...759...
Wed Jul 9 05:08:07 EDT 2003
Actually, the answer that Ben and I each posted
(10.5.0.0/22,10.5.4.0/24) AND the answer that Brian posted were both
right. It's just that Ben and I answered what we thought that the
posted *meant* to say, while Brian actually answered correctly given
what the user *did* say. As Brian pointed out, the notation above
covers 2 IP's (10.5.0.0/32 and 10.5.4.255/32) that the user did not
include in his range (which was listed as 10.5.0.1-10.5.4.254). I just
assumed that the user wanted to look at 5 class B's in their entirety,
even though that's not technically what he said.
So we're all right, and can all bask in the warm glow of correctness.
Andrew Hutchinson - Network Security
Vanderbilt University Medical Center
> -----Original Message-----
> From: Bryan Irvine [mailto:bryan.irvine at ...9066...]
> Sent: Tuesday, July 08, 2003 3:47 PM
> To: Brian
> Cc: Nelson, Ben; Ryan Vennell; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] IP Range Problems
> uhhh no. Ben had it right. With a subnet mask of /22 that covers
> 10.5.0.0-10.5.3.255 and then the /24 covers
> 10.5.4.0-10.5.4.255. There
> is no point to writing them all out like that, especially with the /32
> why add in a NET for a single ip?
> That is an odd range of ip's though, it doesn't fit in well with CIDR
> style notation. is this 1 network with a netmask of 255.255.251.0???
> 10.5.0.0/21.5-ish ;-)
> Out of curiosity are these networks split across multiple interfaces?
> On Tue, 2003-07-08 at 13:03, Brian wrote:
> > On Tue, Jul 08, 2003 at 11:58:11AM -0600, Nelson, Ben wrote:
> > >> i want snort to look at the ip range of 10.5.0.1 -
> 10.5.4.254 but i cant
> > >> figure out how to input this into the ip list. how do i
> put that into
> > >> the var HOME_NET list? thanks for any help
> > >
> > > var HOME_NET [10.5.0.0/22,10.5.4.0/24]
> > technically, thats not correct. You would also look at
> 10.5.0.0 and
> > 10.5.4.255 which don't fit in the range specified. For the
> most part,
> > that will work, but if you want to be exact, you need:
> > var HOME_NET
> > aggregate is your friend. (echo 10.5.0.1 - 10.5.4.254 |
> aggregate -i range)
> > -brian
> > -------------------------------------------------------
> > This SF.Net email sponsored by: Parasoft
> > Error proof Web apps, automate testing & more.
> > Download & eval WebKing and get a free book.
> > www.parasoft.com/bulletproofapps
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> This SF.Net email sponsored by: Parasoft
> Error proof Web apps, automate testing & more.
> Download & eval WebKing and get a free book.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users