[Snort-users] CIDR notation question

Rich Adamson radamson at ...2127...
Thu Jul 10 11:45:38 EDT 2003


A couple of us are having a discuss off list.  Does anyone know (for a 
fact) how snort treats CIDR notation?

var HOME_NET [172.16.0.0/23] implies 512 addresses, one broadcast
address (172.16.1.255), and 172.16.0.255 is a valid device address.

Is there any code that would assume natural subnet masks, or, analyze
packets in such a way as to assume 172.16.0.255 is treated differently?

Or, asking the question slightly different...
  is var HOME_NET [172.16.0.0/24,172.16.1.0/24]
    treated exactly the same as
  HOME_NET [172.16.0.0/23]
when packets are analyzed?

Rich







More information about the Snort-users mailing list