[Snort-users] IP Range Problems

Rich Adamson radamson at ...2127...
Wed Jul 9 09:35:17 EDT 2003


 
> Actually, I would not even recommend that. I like the original /22 and /24
> answer, especially since one would also want to look at Network (10.5.0.0) and
> Broadcast (10.5.4.255) probes and DoS attacks. I imagine the poster was not
> being quite literal. It would be a mistake to leave those out.
<cut>
> var HOME_NET
>[10.5.0.1/32,10.5.0.2/31,10.5.0.4/30,10.5.0.8/29,10.5.0.16/28,10.5.0.32/27,10.5.0.64/26,10.5.0.128
/25,10.5.1.0/24,10.5.2.0/23,10.5.4.0/25,10.5.4.128/26,10.5.4.192/27,10.5.4.224/28,10.5.4.240/29,10.
5.4.248/30,10.5.4.252/31,10.5.4.254/32]

I think we've pretty much beat this one to death, but there is one more small
consideration. 

The /22 definition assumes contigous addresses from bottom to top with a 
"single" broadcast address.

If the original poster is using individual class-b definitions within his
network (eg, servers, routers, etc), then the snort definitions should 
follow those existing definitions.

One "could" specify a very large number of CIDR combinations that would
include the adjacent IP addresses, but technically he should be using his
"real" addressing scheme. Without knowing his exact implementation, many
of the posted responses could be either right on, or wrong.

Rich






More information about the Snort-users mailing list