[Snort-users] CIDR notation question
cmg at ...1935...
Mon Jul 14 06:02:21 EDT 2003
Rich Adamson <radamson at ...2127...> writes:
> A couple of us are having a discuss off list. Does anyone know (for a
> fact) how snort treats CIDR notation?
> var HOME_NET [172.16.0.0/23] implies 512 addresses, one broadcast
> address (172.16.1.255), and 172.16.0.255 is a valid device address.
> Is there any code that would assume natural subnet masks, or, analyze
> packets in such a way as to assume 172.16.0.255 is treated differently?
> Or, asking the question slightly different...
> is var HOME_NET [172.16.0.0/24,172.16.1.0/24]
> treated exactly the same as
> HOME_NET [172.16.0.0/23]
> when packets are analyzed?
Functionally the same but there is no optimization phase for the IP
addresses that will determine when you could write a subnet more
consisely so the latter ends up being more efficient.
Chris Green <cmg at ...1935...>
Let not the sands of time get in your lunch.
More information about the Snort-users