Snort mailing list archives
Re: Snort 2.9.0.3 Now Available
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 3 Jan 2011 09:21:48 -0500
I put in a bug for this to correct the issue. On Dec 29, 2010, at 12:40 PM, vincent () cojot name wrote:
On Tue, 28 Dec 2010, James Kaufman wrote:I think the issue here is that the documentation says to use 'ipvar', rather than 'var'. Yet ipvar is invalid in the snort.conf if you don't enable ipv6. That just seems wrong somehow. Why is the parser for ipv4 installations unable to understand the ipvar token? JimYes, I agree with you James. Also, I think, from an outsider's point of view, there is a total of 4 different cases to be handled: - A) Non-IPV6-enabled snort + snort.conf with tokens like 'var HOME_NET..' * This works by default but the config file's syntax is wrong when IPV6 is enabled (ipvar should be used instead). I guess most users are running that kind of config. - B) Non-IPV6-enabled snort + snort.conf with tokens like 'ipvar HOME_NET..' * non-IPV6 snort could be modified to treat these like 'var' since we already know that they are related to networks.. - C) IPV6-enabled snort + snort.conf with tokens like 'ipvar HOME_NET..' * Again, this works by design/default. I guess most users with an IPV6 snort are running this kind of config. - D) Non-IPV6-enabled snort + snort.conf with tokens like 'var HOME_NET..' * This is, IMHO, the most diffult case to handle. This case looks like config rules from an older snort but it could also be a configuration error (i.e: the user meant a 'var' but she used an 'ipvar', or the opposite. So in order to make things easier for the users, something would need to be implemented for cases B) and D) (for D), perhaps snort could simply abort and warn the user if a 'var' looks like what should be an 'ipvar'). Of course, that's just my 2c, I have very very limited knowledge of how snort actually works... Vincent ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort 2.9.0.3 Now Available Joel Esler (Jan 03)
- Re: Snort 2.9.0.3 Now Available Ryan Jordan (Jan 03)
- Re: Snort 2.9.0.3 Now Available vincent (Jan 04)
- Re: Snort 2.9.0.3 Now Available Ryan Jordan (Jan 04)
- Re: Snort 2.9.0.3 Now Available vincent (Jan 07)
- Re: Snort 2.9.0.3 Now Available anvin igcar (Jan 07)
- Re: Snort 2.9.0.3 Now Available vincent (Jan 04)
- Re: Snort 2.9.0.3 Now Available Ryan Jordan (Jan 03)
- <Possible follow-ups>
- Re: Snort 2.9.0.3 Now Available vincent (Jan 03)