[Snort-users] IP range in rules

stephane nasdrovisky stephane.nasdrovisky at ...12261...
Thu Aug 19 02:43:23 EDT 2004

Federico Petronio wrote:

> Hi, I read the documentation, but I can't figure out if there is (or 
> not) a way to define IP ranges for rules (directly in the rule or by 
> mean of a variable).
> For example, suppose I would like group these IPs:
>  through

What about to ? or ?

>  through

What about to ? or ?
Adding a few rules alerting on everything from/to 10.1.0. 
100/30,104/29,112/29,120/29,151/32 & 152/29 should match most of your 
needs, no ?

> As far as I saw only single IPs or IP/mask pairs could be specify, but 
> none of those methods is good enough for what I want. Is there any way 
> to write IP ranges?
> I run snort 2.1.3 on Debian Woody.

IP ranges are too stupid to think of in networking environments.
Ip networks/netmask are in many cases a better approach. consider 
dropping any ip range and replace them with ip networks.
Network admins should preffer ip networks/netmask over ip ranges, 
shouldn't  they ?

More information about the Snort-users mailing list