[Snort-users] Configuring snort.conf

Erek Adams erek at ...950...
Wed Feb 11 07:22:09 EST 2004


On Tue, 10 Feb 2004, James Chong wrote:

> The examples given uses a network ID followed by a
> subnet mask.
>
> Say I only want to monitor certain IP addresses using
> snort.Can I do this? How should I write it?
>
> Say I want to monitor only certain IP addresses on my
> network: 202.185.109.161-202.185.109.165
>
> Net ID:202.185.109.160/27
>
> To monitor the whole network I would use:
> var HOME_NET 202.185.109.160/27 but I do not want
> this.
>
> Should it be:
> var HOME_NET 202.185.109.161-202.185.109.165 then?

Nope.

var HOME_NET [202.185.109.161/32,202.185.109.162/32,202.185.109.163/32,202.185.109.164/32,202.185.109.165/32]

Or to clean that up a bit, you might want to use:

var HOME_NET 202.185.109.160/29

That'll get you .160-.166.

Cheers!

-----
Erek Adams

 "It looks just like a Telefunken U-47.  You'll love it..."  -- Frank Zappa




More information about the Snort-users mailing list