Snort mailing list archives

Re: var or ipvar?

From: Todd Wease <twease () sourcefire com>
Date: Mon, 28 Jan 2013 17:44:48 -0500

If "var" defines an IP or IP list (IPv4 or IPv6), it is stored in the same
structure as if you had used "ipvar", i.e.

var HOME_NET 192.168.0.0/24

is equivalent to

ipvar HOME_NET 192.168.0.0/24

On Mon, Jan 28, 2013 at 4:58 PM, waldo kitty <wkitty42 () windstream net>wrote:

On 1/28/2013 15:39, Y M wrote:

 From Snort 2.9.4 release notes:

"Consolidation of IPv6 -- now only a single build supports both IPv4 &

IPv6, and

removal of the IPv4 "only" code paths."

Does this mean that ipvar should support both IPv4 and IPv6 and var is
deprecated/ no longer needed? Or am I totally off topic here?


this is exactly what i'm talking about...

In previous installations of Snort, we had ipvar and var both at the

same config

file and we did not see any problems, however, we didn't have IPv6

enabled at

that point of time.


and especially this where both were used at one time... we didn't have to
worry
then because we didn't have a working IPv6 in our package... but now we
have
people taking it onto themselves to forcibly upgrade snort because they
can't
get any new rules and they are under the mistaken idea that they /have to
have/
new rules all the time... like the old ones are going to go stale and
stink up
the place or something... so they go thru everything to get a working
binary in
our development package and install it only to find it falling over or not
logging anything and it is starting to look like it is coming down to the
use of
var and/or ipvar in some cases...

YM

--------------------------------------------------------------------------------

From: Joel Esler <mailto:jesler () sourcefire com>
Sent: ‎1/‎28/‎2013 11:07 PM
To: Nicholas Bogart <mailto:nickybzoss () gmail com>
Cc: snort-users () lists sourceforge net <mailto:

snort-users () lists sourceforge net>

Subject: Re: [Snort-users] var or ipvar?

Ipvar, for ips. Portvar for ports.

--
Joel Esler
Sent from my iPad

On Jan 28, 2013, at 3:01 PM, Nicholas Bogart <nickybzoss () gmail com
<mailto:nickybzoss () gmail com>> wrote:

Last I remember on this from the manual you only use ipvar if you are

working

in an IPv6 evironment and have enabled snort for IPv6. If you have it

turned

off then you can continue and are encouraged to still use var.
Nick

On Mon, Jan 28, 2013 at 1:56 PM, waldo kitty <wkitty42 () windstream net
<mailto:wkitty42 () windstream net>> wrote:


    var used to be used for most all var definitions... then work was

being

    done for
    IPv6 and ipvar was created... since then, it seems that ipvar has

been

    retained
    for all and var is simply no longer used...

    is this accurate?

    why is var not retained as an alias for ipvar? systems have been

breaking all

    around us and it is only just now that we're starting to find this

possibly

    being the problem :(

    will it hurt to have both var and ipvar pointing to the same

definitions??


    will older snorts fall over because of ipvar being introduced into

their

    environment before they are ready for it?





------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: var or ipvar?, (continued)
- - - Re: var or ipvar? waldo kitty (Jan 28)
    - Re: var or ipvar? Joel Esler (Jan 28)
    - Re: var or ipvar? waldo kitty (Jan 28)
  - Re: var or ipvar? waldo kitty (Jan 28)
- Re: var or ipvar? Y M (Jan 28)
  - Re: var or ipvar? Nicholas Bogart (Jan 28)
    - Re: var or ipvar? waldo kitty (Jan 28)
    - Re: var or ipvar? Joel Esler (Jan 28)
  - SNORT compilation in ECLIPSE patricio (Jan 28)
  - Re: var or ipvar? waldo kitty (Jan 28)
    - Re: var or ipvar? Todd Wease (Jan 28)
    - Re: var or ipvar? waldo kitty (Jan 28)
    - Re: var or ipvar? Todd Wease (Jan 29)