[Snort-users] IP Range Problems

Marc Quibell mquibell at ...7759...
Wed Jul 9 07:59:06 EDT 2003



Actually, I would not even recommend that. I like the original /22 and /24
answer, especially since one would also want to look at Network (10.5.0.0) and
Broadcast (10.5.4.255) probes and DoS attacks. I imagine the poster was not
being quite literal. It would be a mistake to leave those out.


Message: 1
Date: Tue, 8 Jul 2003 16:03:44 -0400
From: Brian <bmc at ...950...>
To: "Nelson, Ben" <bnelson at ...5464...>
Cc: Ryan Vennell <rvennell at ...9347...>,
  snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] IP Range Problems

On Tue, Jul 08, 2003 at 11:58:11AM -0600, Nelson, Ben wrote:
>> i want snort to look at the ip range of 10.5.0.1 - 10.5.4.254 but i cant
>> figure out how to input this into the ip list.  how do i put that into
>> the var HOME_NET list?  thanks for any help
>
> var HOME_NET [10.5.0.0/22,10.5.4.0/24]

technically, thats not correct.  You would also look at 10.5.0.0 and
10.5.4.255 which don't fit in the range specified.  For the most part,
that will work, but if you want to be exact, you need:

var HOME_NET
[10.5.0.1/32,10.5.0.2/31,10.5.0.4/30,10.5.0.8/29,10.5.0.16/28,10.5.0.32/27,10.5.0.64/26,10.5.0.128/25,10.5.1.0/24,10.5.2.0/23,10.5.4.0/25,10.5.4.128/26,10.5.4.192/27,10.5.4.224/28,10.5.4.240/29,10.5.4.248/30,10.5.4.252/31,10.5.4.254/32]


aggregate is your friend.  (echo 10.5.0.1 - 10.5.4.254 | aggregate -i range)

-brian






More information about the Snort-users mailing list