Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Using Snort on a Switch via span problem

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 20 Jul 2004 15:10:33 -0400
At 04:27 AM 7/20/2004, Eric Noel wrote:

On 7/20/2004 3:07 PM, Matt Kettler wrote:
> At 12:56 AM 7/20/2004, Eric Noel wrote:
>
>> var HTTP_SERVERS [172.30.19.101/20,172.30.19.102/20]
>
> Not sure it's your problem, but 172.30.19.101/20 isn't a legal CIDR spec.. Perhaps you meant /32? 
>

:(
our lan is Class b subnetted as class C
Network 172.30.16.0 Class C
4096 Nodes/Hosts per Network
Node/Host 3/30
Broadcast 172.30.31.255
Dotted Subnet Mask 255.255.240.0
Number of bits in subnet mask /20
From: 172.30.16.01
To: 172.30.31.254
Broadcast: 172.30.31.255



Stop confusing yourself.. The total size of your network doesn't matter here.
in HTTP_SERVERS it appears your are trying to specify two single hosts. If you want to do that, use ]172.30.19.101/32,172.30.19.102/32] 

If you want to monitor your entire network as HTTP_SERVERS, use 172.30.16.0/20
However do NOT use an invalid specifier like 172.30.19.101/20. Here your specifying a single host as an IP, but an entire network as a mask. You can't do that. Use CIDR specs that are properly formated for routing. A cidr mask of /20 means that the low 12 bits of the specified IP MUST be 0. 


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: