Snort mailing list archives
Re: IP range in rules
From: stephane nasdrovisky <stephane.nasdrovisky () paradigmo com>
Date: Thu, 19 Aug 2004 11:41:32 +0200
Federico Petronio wrote:
Hi, I read the documentation, but I can't figure out if there is (or not) a way to define IP ranges for rules (directly in the rule or by mean of a variable).For example, suppose I would like group these IPs: 10.1.0.1 through 10.1.0.99
What about 10.1.0.0 to 10.1.0.128 ? or 10.1.0.0/25 ?
10.1.0.140 through 10.1.0.150
What about 10.1.0.128 to 10.1.0.159 ? or 10.1.0.128/28 ?Adding a few rules alerting on everything from/to 10.1.0. 100/30,104/29,112/29,120/29,151/32 & 152/29 should match most of your needs, no ?
As far as I saw only single IPs or IP/mask pairs could be specify, but none of those methods is good enough for what I want. Is there any way to write IP ranges?I run snort 2.1.3 on Debian Woody.
IP ranges are too stupid to think of in networking environments.Ip networks/netmask are in many cases a better approach. consider dropping any ip range and replace them with ip networks. Network admins should preffer ip networks/netmask over ip ranges, shouldn't they ?
------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IP range in rules Federico Petronio (Aug 18)
- Re: IP range in rules stephane nasdrovisky (Aug 19)