[Snort-users] IP range in rules
stephane.nasdrovisky at ...12261...
Thu Aug 19 02:43:23 EDT 2004
Federico Petronio wrote:
> Hi, I read the documentation, but I can't figure out if there is (or
> not) a way to define IP ranges for rules (directly in the rule or by
> mean of a variable).
> For example, suppose I would like group these IPs:
> 10.1.0.1 through 10.1.0.99
What about 10.1.0.0 to 10.1.0.128 ? or 10.1.0.0/25 ?
> 10.1.0.140 through 10.1.0.150
What about 10.1.0.128 to 10.1.0.159 ? or 10.1.0.128/28 ?
Adding a few rules alerting on everything from/to 10.1.0.
100/30,104/29,112/29,120/29,151/32 & 152/29 should match most of your
needs, no ?
> As far as I saw only single IPs or IP/mask pairs could be specify, but
> none of those methods is good enough for what I want. Is there any way
> to write IP ranges?
> I run snort 2.1.3 on Debian Woody.
IP ranges are too stupid to think of in networking environments.
Ip networks/netmask are in many cases a better approach. consider
dropping any ip range and replace them with ip networks.
Network admins should preffer ip networks/netmask over ip ranges,
shouldn't they ?
More information about the Snort-users