Related to the addr
type is net
. net
values hold address
prefixes. Historically, the IP address space was divided into different
classes of addresses, based on the uppermost components of a given
address: class A spanned the range 0.0.0.0 to 127.255.255.255; class B from
128.0.0.0 to 191.255.255.255; class C from 192.0.0.0 to 223.255.255.255;
class D from 224.0.0.0 to 239.255.255.255; and class E from 240.0.0.0 to
255.255.255.255. Addresses were allocated to different networks out of
either class A, B, or C, in blocks of 2^24, 2^16, and 2^8
addresses, respectively.
Accordingly, net
values hold either an 8-bit class A prefix,
a 16-bit class B prefix, a 24-bit class C prefix, or a 32-bit class D
“prefix” (an entire address). Values for class E prefixes are not
defined (because no such addresses are currently allocated, and so shouldn't
appear in other than clearly-bogus packets).
Today, address allocations come not from class A, B or C, but instead from CIDR blocks (CIDR = Classless Inter-Domain Routing), which are prefixes between 1 and 32 bits long in the range 0.0.0.0 to 223.255.255.255. Deficiency: Bro should deal just with CIDR prefixes, rather than old-style network prefixes. However, these are more difficult to implement efficiently for table searching and the like; hence currently Bro only supports the easier-to-implement old-style prefixes. Since these don't match current allocation policies, often they don't really fit an address range you'll want to describe. But for sites with older allocations, they do, which gives them some basic utility.
In addition, Deficiency: IPv6 has no notion of old-style network prefixes, only CIDR prefixes, so the lack of support of CIDR prefixes impairs use of Bro to analyze IPv6 traffic.