Snort mailing list archives

Re: Configuring snort.conf

From: Erek Adams <erek () snort org>
Date: Wed, 11 Feb 2004 10:20:44 -0500 (EST)

On Tue, 10 Feb 2004, James Chong wrote:

The examples given uses a network ID followed by a
subnet mask.

Say I only want to monitor certain IP addresses using
snort.Can I do this? How should I write it?

Say I want to monitor only certain IP addresses on my
network: 202.185.109.161-202.185.109.165

Net ID:202.185.109.160/27

To monitor the whole network I would use:
var HOME_NET 202.185.109.160/27 but I do not want
this.

Should it be:
var HOME_NET 202.185.109.161-202.185.109.165 then?


Nope.

var HOME_NET [202.185.109.161/32,202.185.109.162/32,202.185.109.163/32,202.185.109.164/32,202.185.109.165/32]

Or to clean that up a bit, you might want to use:

var HOME_NET 202.185.109.160/29

That'll get you .160-.166.

Cheers!

-----
Erek Adams

 "It looks just like a Telefunken U-47.  You'll love it..."  -- Frank Zappa


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Configuring snort.conf James Chong (Feb 10)
- Re: Configuring snort.conf Erek Adams (Feb 11)