Re: IP range in rules

[stephane nasdrovisky <stephane.nasdrovisky () paradigmo com>]

Federico Petronio wrote:

> Hi, I read the documentation, but I can't figure out if there is (or 
> not) a way to define IP ranges for rules (directly in the rule or by 
> mean of a variable).
>
> For example, suppose I would like group these IPs:
>
> 10.1.0.1  through 10.1.0.99

What about 10.1.0.0 to 10.1.0.128 ? or 10.1.0.0/25 ?

> 10.1.0.140  through 10.1.0.150

What about 10.1.0.128 to 10.1.0.159 ? or 10.1.0.128/28 ?
Adding a few rules alerting on everything from/to 10.1.0. 
100/30,104/29,112/29,120/29,151/32 & 152/29 should match most of your 
needs, no ?

> As far as I saw only single IPs or IP/mask pairs could be specify, but 
> none of those methods is good enough for what I want. Is there any way 
> to write IP ranges?
>
> I run snort 2.1.3 on Debian Woody.

IP ranges are too stupid to think of in networking environments.
Ip networks/netmask are in many cases a better approach. consider 
dropping any ip range and replace them with ip networks.
Network admins should preffer ip networks/netmask over ip ranges, 
shouldn't  they ?


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users