If the netmask consists of 8 bits it is an A class network For a single host

• If the netmask consists of 8 bits, it is an A class network. • For a single host, use 32 bits in the netmask field. You can also use any number of bits in the address part allowed by Classless Inter- Domain Routing or CIDR. Refer to RFC 791 at for structure of IP addresses and netmasks and to RFC 1519 at - tor.org/rfc/rfc1519.txt for more information on CIDR. As mentioned earlier, there are two address fields in the Snort rule. One of them is the source address and the other one is the destination address. The direction part of the

Rule Headers 85 rule determines which address is source and which one is destination. Refer to the expla- nation of the direction part to find more information about how this selection is made. Following are some examples of how addresses are mentioned in Snort rules: • An address 192.168.1.3/32 defines a single host with IP address 192.168.1.3. • An address 192.168.1.0/24 defines a class C network with addresses ranging from 192.168.1.0 to 192.168.1.255. There are 24 bits in the netmask, which is equal to 255.255.255.0. • An address 152.168.0.0/16 defines a class B network with addresses ranging from 152.168.0.0 to 152.168.255.255. There are 16 bits in the netmask, which is equal to 255.255.0.0. • An address 10.0.0.0/8 defines a class A network with addresses ranging from 10.0.0.0 to 10.255.255.255. There are 8 bits in the netmask, which is equal to 255.0.0.0. • An address 192.168.1.16/28 defines an address range of 192.168.1.16 to 192.168.1.31. There are 28 bits in the netmask field, which is equal to 255.255.255.240, and the network consists of 16 addresses. You can place only 14 hosts in this type of network because two of the total 16 addresses are used up in defining the network address and the broadcast address. Note that the first address in each network is always the network address and the last address is the broadcast address. For this network 192.168.1.16 is the network address and 192.168.1.31 is the broadcast address. For example, if you want to generate alerts for all TCP packets with TTL=100 going to web server 192.168.1.10 at port 80 from any source, you can use the following rule: alert tcp any any -> 192.168.1.10/32 80 (msg: "TTL=100"; \ ttl: 100;) This rule is just an example to provide information about how IP addresses are used in Snort rules. 3.5.3.1 Address Exclusion Snort provides a mechanism to exclude addresses by the use of the negation sym- bol !, an exclamation point. This symbol is used with the address to direct Snort not to test packets coming from or going to that address. For example, the following rule is applied to all packets except those that originate from class C network 192.168.2.0.

86 Chapter 3 • Working with Snort Rules alert icmp ![192.168.2.0/24] any -> any any \ (msg: "Ping with TTL=100"; ttl: 100;) This rule is useful, for instance, when you want to test packets that don’t originate from your home network (which means you trust everyone in your home network!).