Snort mailing list archives

Re: frag3 bind_to and ipvar not working

From: "Lee Clemens" <snort () leeclemens net>
Date: Sat, 13 Mar 2010 19:45:59 -0500

Changing to IPs works fine.

Wish I could still use var's though, is it no longer possible?

-----Original Message-----
From: Joel Esler [mailto:jesler () sourcefire com] 
Sent: Saturday, March 13, 2010 12:52 PM


Did it work?  Or did it simply not throw am error?

--
Joel Esler
Sent from my iPhone

On Mar 13, 2010, at 11:02 AM, "Lee Clemens" <snort () leeclemens net>  
wrote:

Hi Alex,

It was working this way in 2.8.4.1. I found it very useful since  
frag3 linux
policy and stream5 linux policy tend to use the same IPs, SSL rules  
use the
same ports as the ssl preprocessor to look for ssl traffic, etc.

-Lee

-----Original Message-----
From: Alex Tatistcheff [mailto:alex.tatistcheff () gmail com]
Sent: Saturday, March 13, 2010 4:52 AM


Lee,

Unless something has radically changed lately you can't use  
variables in
preprocessors to define ports and IP addresses.  Variables work for  
rules
but for preprocessors try using the actual IPs instead.

Alex Tatistcheff
alext () pobox com

The most terrifying words in the English language are, "I'm from the
government and I'm here to help." -Ronald Reagan





On Fri, Mar 12, 2010 at 7:21 PM, Lee Clemens <snort () leeclemens net>  
wrote:


   Hello,

   I am using Snort 2.5.8.3 on Linux kernel 2.6.x.

   My snort.conf contains (was running on 2.8.4.1):

   var LINUX_SERVERS [192.168.1.2,192.168.1.3]

   preprocessor frag3_global: max_frags 65536, \
     prealloc_frags 65536, \
     memcap 524288
   preprocessor frag3_engine: policy linux \
          bind_to $LINUX_SERVERS \
          detect_anomalies

   However, starting snort fails each time on the frag3_engine line.

   I have tried using slash-notation for each IP, and using ipvar
instead of
   var.
   Each time I get the error: Unable to process the IP address:
LINUX_SERVERS.

   If I wrap use $(LINUX_SERVERS) or [$LINUX_SERVERS], etc, I receive
the same
   error but with or without brackets.

   Using var and $(LINUX_SERVERS:?linux not defined), I receive the
error
   "linux not defined".

   Any help would be greatly appreciated.

   -Lee




--- 
--- 
----------------------------------------------------------------------
--
   Download Intel&#174; Parallel Studio Eval
   Try the new software tools for yourself. Speed compiling, find bugs
   proactively, and fine-tune applications for parallel performance.
   See why Intel Parallel Studio got high marks during beta.
   http://p.sf.net/sfu/intel-sw-dev
   _______________________________________________
   Snort-users mailing list
   Snort-users () lists sourceforge net
   Go to this URL to change user options or unsubscribe:
   https://lists.sourceforge.net/lists/listinfo/snort-users
   Snort-users
<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users

list archive:
   http://www.geocrawler.com/redir-sf.php3?list=snort-users






--- 
--- 
--- 
---------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

frag3 bind_to and ipvar not working Lee Clemens (Mar 12)
- Re: frag3 bind_to and ipvar not working Alex Tatistcheff (Mar 13)
  - Re: frag3 bind_to and ipvar not working Lee Clemens (Mar 13)
    - Re: frag3 bind_to and ipvar not working Joel Esler (Mar 13)
    - Re: frag3 bind_to and ipvar not working Lee Clemens (Mar 13)
    - Re: frag3 bind_to and ipvar not working Alex Tatistcheff (Mar 13)