[Snort-users] CIDR notation question

Chris Green cmg at ...1935...
Mon Jul 14 06:02:21 EDT 2003


Rich Adamson <radamson at ...2127...> writes:

> A couple of us are having a discuss off list.  Does anyone know (for a 
> fact) how snort treats CIDR notation?
>
> var HOME_NET [172.16.0.0/23] implies 512 addresses, one broadcast
> address (172.16.1.255), and 172.16.0.255 is a valid device address.
>
>
> Is there any code that would assume natural subnet masks, or, analyze
> packets in such a way as to assume 172.16.0.255 is treated differently?

No.

>
>
> Or, asking the question slightly different...
>   is var HOME_NET [172.16.0.0/24,172.16.1.0/24]
>     treated exactly the same as
>   HOME_NET [172.16.0.0/23]
> when packets are analyzed?


Functionally the same but there is no optimization phase for the IP
addresses that will determine when you could write a subnet more
consisely so the latter ends up being more efficient.
-- 
Chris Green <cmg at ...1935...>
Let not the sands of time get in your lunch.




More information about the Snort-users mailing list