[Snort-users] IP range in rules

stephane nasdrovisky stephane.nasdrovisky at ...12261...
Thu Aug 19 02:43:23 EDT 2004


Federico Petronio wrote:

> Hi, I read the documentation, but I can't figure out if there is (or 
> not) a way to define IP ranges for rules (directly in the rule or by 
> mean of a variable).
>
> For example, suppose I would like group these IPs:
>
> 10.1.0.1  through 10.1.0.99

What about 10.1.0.0 to 10.1.0.128 ? or 10.1.0.0/25 ?

> 10.1.0.140  through 10.1.0.150

What about 10.1.0.128 to 10.1.0.159 ? or 10.1.0.128/28 ?
Adding a few rules alerting on everything from/to 10.1.0. 
100/30,104/29,112/29,120/29,151/32 & 152/29 should match most of your 
needs, no ?

> As far as I saw only single IPs or IP/mask pairs could be specify, but 
> none of those methods is good enough for what I want. Is there any way 
> to write IP ranges?
>
> I run snort 2.1.3 on Debian Woody.

IP ranges are too stupid to think of in networking environments.
Ip networks/netmask are in many cases a better approach. consider 
dropping any ip range and replace them with ip networks.
Network admins should preffer ip networks/netmask over ip ranges, 
shouldn't  they ?




More information about the Snort-users mailing list