[Snort-users] Using Snort on a Switch via span problem
mkettler at ...4108...
Tue Jul 20 12:11:03 EDT 2004
At 04:27 AM 7/20/2004, Eric Noel wrote:
>On 7/20/2004 3:07 PM, Matt Kettler wrote:
> > At 12:56 AM 7/20/2004, Eric Noel wrote:
> >> var HTTP_SERVERS [172.30.19.101/20,172.30.19.102/20]
> > Not sure it's your problem, but 172.30.19.101/20 isn't a legal CIDR
> spec.. Perhaps you meant /32?
>our lan is Class b subnetted as class C
>Network 172.30.16.0 Class C
>4096 Nodes/Hosts per Network
>Dotted Subnet Mask 255.255.240.0
>Number of bits in subnet mask /20
Stop confusing yourself.. The total size of your network doesn't matter here.
in HTTP_SERVERS it appears your are trying to specify two single hosts. If
you want to do that, use ]172.30.19.101/32,172.30.19.102/32]
If you want to monitor your entire network as HTTP_SERVERS, use 172.30.16.0/20
However do NOT use an invalid specifier like 172.30.19.101/20. Here your
specifying a single host as an IP, but an entire network as a mask. You
can't do that. Use CIDR specs that are properly formated for routing. A
cidr mask of /20 means that the low 12 bits of the specified IP MUST be 0.
More information about the Snort-users