OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: romandanyliw.com
Date: Thu Nov 01 2001 - 13:32:56 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Not exactly valid CIDR notation, but lets investigate.

    x.177.88.0/20 is the following in binary:

    xxxxxxxx 10110001 1011xxxx xxxxxxxx

    (where 'x' can be either 0 or 1)

    The following would be the mask to match such a network:

    00000000 10110001 10110000 00000000 = 11644928 = mask

    ip AND mask = mask (then we have a match)

    SELECT ip_src FROM iphdr WHERE ((ip_src & 11644928) = 11644928)

    The representation of the ip address as an unsigned 32-bit integer was
    done to facilitate exactly this type of operation.

    Roman

    On 1 Nov 2001, Greg Sarsons wrote:

    > Okay lets make this a bit more complicated.
    >
    > Lets say I want to get all the addresses from x.117.88.0 thru to
    > x.177.95.255
    >
    > which is x.177.88.0/20
    >
    > Is there a straight forward way to just match ips just on all or just
    > one of those subnets.
    >
    > Greg
    >
    > On Thu, 2001-11-01 at 10:31, Jason Straight wrote:
    > > Actually I got another answer also, mysql has just that function
    > > select inet_ntoa(ipsrc) from iphdr;
    > >
    > >
    > > On Thursday 01 November 2001 10:12, Phil Wood wrote:
    > > > You'll probably get a lot of these types of responses. I had that question
    > > > recently from one of the network staff here and thought I'd code it to
    > > > death.
    > > >
    > > > It's a perl script called int-to-ip which takes input in one of two ways:
    > > >
    > > > int-to-ip number [another_number]*
    > > > int-to-ip < list_of_numbers_file
    > > >
    > > > Later,
    > > >
    > > > On Thu, Nov 01, 2001 at 12:36:29AM -0500, Jason Straight wrote:
    > > > > I'm confused. Snort on mysql has an ip addy that's nothing more than an
    > > > > integer. How do I get a dotted quad IP# from:
    > > > >
    > > > > 208436227 ?
    > > > >
    > > > > Thanks in advance.
    > > >
    >

    ---------------------------------------------
    This message was sent using Voicenet WebMail.
          http://www.voicenet.com/webmail/

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users