Rule Headers


85


rule determines which address is source and which one is destination. Refer to the expla 


nation of the direction part to find more information about how this selection is made.


Following are some examples of how addresses are mentioned in Snort rules:


  An address 192.168.1.3/32 defines a single host with IP address 192.168.1.3.


  An address 192.168.1.0/24 defines a class C network with addresses ranging


from 192.168.1.0 to 192.168.1.255. There are 24 bits in the netmask, which is


equal to 255.255.255.0.


  An address 152.168.0.0/16 defines a class B network with addresses ranging


from 152.168.0.0 to 152.168.255.255. There are 16 bits in the netmask, which


is equal to 255.255.0.0.


  An address 10.0.0.0/8 defines a class A network with addresses ranging from


10.0.0.0 to 10.255.255.255. There are 8 bits in the netmask, which is equal to


255.0.0.0.


  An address 192.168.1.16/28 defines an address range of 192.168.1.16 to


192.168.1.31. There are 28 bits in the netmask field, which is equal to


255.255.255.240, and the network consists of 16 addresses. You can place only


14 hosts in this type of network because two of the total 16 addresses are used


up in defining the network address and the broadcast address. Note that the first


address in each network is always the network address and the last address is


the broadcast address. For this network 192.168.1.16 is the network address


and 192.168.1.31 is the broadcast address.


For example, if you want to generate alerts for all TCP packets with


TTL=100 going to web server 192.168.1.10 at port 80 from any source, you


can use the following rule:


alert tcp any any  > 192.168.1.10/32 80 (msg: "TTL=100"; \


 ttl: 100;)


This rule is just an example to provide information about how IP addresses are


used in Snort rules.


3.5.3.1


Address Exclusion


Snort provides a mechanism to exclude addresses by the use of the negation sym 


bol !, an exclamation point. This symbol is used with the address to direct Snort not to


test packets coming from or going to that address. For example, the following rule is


applied to all packets except those that originate from class C network 192.168.2.0.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved