Snort mailing list archives
ip ranges?
From: "Edwin Eefting" <edwin () bit nl>
Date: 23 Oct 2001 10:15:08 CEST
Why won't this work: var HOME_NET [213.136.0.0/19,!213.136.3.0/24] Our homenet should be 213.136.0.0/19, except 213.136.3.0/24 which are dialup accounts. (and they generate a lot of alert!) I've written a perlscript to generate something like this: var HOME_NET [213.136.0.0/24,213.136.1.0/24,213.136.2.0/24,213.136.4.0/24,213.136.5.0/24,213 .136.6.0/24,213.136.7.0/24,213.136.8.0/24,213.136.9.0/24,213.136.10.0/24,213.13 6.11.0/24,213.136.12.0/24,213.136.13.0/24,213.136.14.0/24,213.136.15.0/24,213.1 36.16.0/24,213.136.17.0/24,213.136.18.0/24,213.136.19.0/24,213.136.20.0/24,213. 136.21.0/24,213.136.22.0/24,213.136.23.0/24,213.136.24.0/24,213.136.25.0/24,213 .136.26.0/24,213.136.27.0/24,213.136.28.0/24,213.136.29.0/24,213.136.30.0/24,21 3.136.31.0/24] Pretty eh? ;-) But this seems to use a lot of cpu time. (guess it has to evaluate a lot more ips with every rule) What's a nicer solution? Edwin -- __________________ /\ ___/ Edwin Eefting /- \ _/ Business Internet Trends BV /--- \/ __________________ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- capturing a suspisous traffic stream phillip mawson (Oct 22)
- Re: capturing a suspisous traffic stream Martin Roesch (Oct 22)
- Re: capturing a suspisous traffic stream Stan Scalsky (Oct 22)
- Re: capturing a suspisous traffic stream Chris Green (Oct 22)
- ip ranges? Edwin Eefting (Oct 23)
- Message not available
- ip ranges & perfomance Edwin Eefting (Oct 23)
- Re: capturing a suspisous traffic stream Stan Scalsky (Oct 22)
- Re: capturing a suspisous traffic stream Martin Roesch (Oct 22)