[Snort-users] Using Snort on a Switch via span problem

Matt Kettler mkettler at ...4108...
Tue Jul 20 12:11:03 EDT 2004


At 04:27 AM 7/20/2004, Eric Noel wrote:
>On 7/20/2004 3:07 PM, Matt Kettler wrote:
> > At 12:56 AM 7/20/2004, Eric Noel wrote:
> >
> >> var HTTP_SERVERS [172.30.19.101/20,172.30.19.102/20]
> >
> > Not sure it's your problem, but 172.30.19.101/20 isn't a legal CIDR 
> spec.. Perhaps you meant /32?
> >
>
>:(
>our lan is Class b subnetted as class C
>Network 172.30.16.0 Class C
>4096 Nodes/Hosts per Network
>Node/Host 3/30
>Broadcast 172.30.31.255
>Dotted Subnet Mask 255.255.240.0
>Number of bits in subnet mask /20
>From: 172.30.16.01
>To: 172.30.31.254
>Broadcast: 172.30.31.255


Stop confusing yourself.. The total size of your network doesn't matter here.

in HTTP_SERVERS it appears your are trying to specify two single hosts. If 
you want to do that, use ]172.30.19.101/32,172.30.19.102/32]

If you want to monitor your entire network as HTTP_SERVERS, use 172.30.16.0/20

However do NOT use an invalid specifier like 172.30.19.101/20. Here your 
specifying a single host as an IP, but an entire network as a mask. You 
can't do that. Use CIDR specs that are properly formated for routing. A 
cidr mask of /20 means that the low 12 bits of the specified IP MUST be 0. 





More information about the Snort-users mailing list