[Snort-users] Using Snort on a Switch via span problem

Matt Kettler mkettler at ...4108...
Tue Jul 20 12:11:03 EDT 2004

At 04:27 AM 7/20/2004, Eric Noel wrote:
>On 7/20/2004 3:07 PM, Matt Kettler wrote:
> > At 12:56 AM 7/20/2004, Eric Noel wrote:
> >
> >> var HTTP_SERVERS [,]
> >
> > Not sure it's your problem, but isn't a legal CIDR 
> spec.. Perhaps you meant /32?
> >
>our lan is Class b subnetted as class C
>Network Class C
>4096 Nodes/Hosts per Network
>Node/Host 3/30
>Dotted Subnet Mask
>Number of bits in subnet mask /20

Stop confusing yourself.. The total size of your network doesn't matter here.

in HTTP_SERVERS it appears your are trying to specify two single hosts. If 
you want to do that, use ],]

If you want to monitor your entire network as HTTP_SERVERS, use

However do NOT use an invalid specifier like Here your 
specifying a single host as an IP, but an entire network as a mask. You 
can't do that. Use CIDR specs that are properly formated for routing. A 
cidr mask of /20 means that the low 12 bits of the specified IP MUST be 0. 

More information about the Snort-users mailing list