Snort mailing list archives

Re: Snort 2.9.0.3 Now Available

From: vincent () cojot name
Date: Wed, 29 Dec 2010 18:40:25 +0100 (CET)

On Tue, 28 Dec 2010, James Kaufman wrote:

I think the issue here is that the documentation says to use 'ipvar',
rather than 'var'. Yet ipvar is invalid in the snort.conf if you don't
enable ipv6.

That just seems wrong somehow. Why is the parser for ipv4 installations
unable to understand the ipvar token?

Jim


Yes, I agree with you James.

        Also, I think, from an outsider's point of view, there is a total 
of 4 different cases to be handled:

- A) Non-IPV6-enabled snort + snort.conf with tokens like 'var HOME_NET..'
        * This works by default but the config file's syntax is wrong when
        IPV6 is enabled (ipvar should be used instead). I guess most users
        are running that kind of config.

- B) Non-IPV6-enabled snort + snort.conf with tokens like 'ipvar HOME_NET..'
        * non-IPV6 snort could be modified to treat these like 'var' since
        we already know that they are related to networks..

- C) IPV6-enabled snort + snort.conf with tokens like 'ipvar HOME_NET..'
        * Again, this works by design/default. I guess most users with an
        IPV6 snort are running this kind of config.

- D) Non-IPV6-enabled snort + snort.conf with tokens like 'var HOME_NET..'
        * This is, IMHO, the most diffult case to handle. This case looks
        like config rules from an older snort but it could also be a
        configuration error (i.e: the user meant a 'var' but she used an
        'ipvar', or the opposite.

So in order to make things easier for the users, something would need to 
be implemented for cases B) and D) (for D), perhaps snort could simply 
abort and warn the user if a 'var' looks like what should be an 'ipvar').

Of course, that's just my 2c, I have very very limited knowledge of how 
snort actually works...

Vincent



------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Snort 2.9.0.3 Now Available, (continued)
- - - Re: Snort 2.9.0.3 Now Available Azher Mughal (Dec 26)
    - Re: Snort 2.9.0.3 Now Available vincent (Dec 26)
    - Re: Snort 2.9.0.3 Now Available waldo kitty (Dec 26)
    - Re: Snort 2.9.0.3 Now Available Leon Ward (Dec 27)
    - Re: Snort 2.9.0.3 Now Available Edward Fjellskål (Dec 27)
    - Re: Snort 2.9.0.3 Now Available waldo kitty (Dec 27)
    - Re: Snort 2.9.0.3 Now Available Joel Esler (Dec 28)
    - Re: Snort 2.9.0.3 Now Available vincent (Dec 28)
    - Re: Snort 2.9.0.3 Now Available James Kaufman (Dec 28)
    - Re: Snort 2.9.0.3 Now Available Joel Esler (Dec 28)
    - Re: Snort 2.9.0.3 Now Available vincent (Dec 29)
    - Re: Snort 2.9.0.3 Now Available vincent (Dec 27)