Re: RE: Difficulty setting HOME_NET to my interface address

["Chris Reid" <Chris.Reid () CodeCraftConsultants com>]

The problem was two-fold.

First, pcap represents the interfaces differently, depending on whether it
is a *nix flavour versus Win32.  The parameter being passed into
DefineIfaceVar() under Win32 was actually treated as an empty string.  So
under Win32, snort is currently creating a variable called $_ADDRESS, with
the correct information.  (Under *nix, this would be something equivalent to
$eth0_ADDRESS).  I have corrected this in snort 2.0.  I'll test and update
1.9 later tonight.

Second, snort doesn't allow non-standard characters in variable names,
unless you "quote" the name using parentheses.  Non-standard characters
include backslash, curly braces and hyphens.  All of these appear in the
Win32 interface name.  So, you need to "quote" the variable name, such as
(using an example from a previous message in this thread):

    var HOME_NET
$(\Device\NPF_{10B946B4-4170-4447-9D02-6D2E135640BB}_ADDRESS)

So, if you are using an existing snort distribution from before today, use
$_ADDRESS.  If you update your source code as of today, from either a daily
tarball, or by grabbing source from CVS, use the "quoting" with parentheses.

Chris Reid


----- Original Message -----
From: "Erek Adams" <erek () snort org>
To: "Charles Darwin" <darwin () netmadeira com>
Cc: "Snort-Users (E-mail)" <snort-users () lists sourceforge net>
Sent: Saturday, February 15, 2003 8:55 AM
Subject: Re: [Snort-users] RE: Difficulty setting HOME_NET to my interface
address


> On Sat, 15 Feb 2003, Charles Darwin wrote:
>
> > The problem is it does not seems to accept the interface name...
> > Any ideia why is this happening?
> > (I checked with snort -W already and even made it appent the interface
name
> > to the alerts to confirm, but still does not work :-\)
>
> Right.  There seems to be some horkage with Win32 and the interface name.
> I can't verify/troubleshoot as I don't have a Win32 box.  :-)
>
> I'll bounce it to the Win32 folks.
>
> -----
> Erek Adams
>
>    "When things get weird, the weird turn pro."   H.S. Thompson



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users