Snort mailing list archives
Re: -S and ipvar vs. var
From: Duane Howard <duane.security () gmail com>
Date: Tue, 22 Jul 2014 12:07:13 -0700
My reading of the -h description is that it's not equivalent to defining
HOME_NET:
-h home-net
Set the "home network" to home-net. The format of this
address variable is a network prefix plus a CIDR block, such as
192.168.1.0/24. Once this variable is set, all decoded packet logging
will be done relative to the home network address space.
This is useful because of the way that Snort formats its ASCII log data.
With this value set to the local network, all decoded output
will be logged into decode directories with the address of
the foreign computer as the directory name, which is very useful during
traffic analysis. *This option does not change "$HOME_NET" in*
* IDS mode.*
I would like to define (and currently do) HOME_NET as an ipvar, but I'm not
sure how to do so from the command line if that's at all possible...
./d
On Tue, Jul 22, 2014 at 11:27 AM, Steve Gantz <
stephen.gantz () faculty umuc edu> wrote:
Current Snort manual says all IP variables are to be specified with ipvar, so I would expect that would include HOME_NET. I think you want to be using -h as the command line option to pass the value of HOME_NET. Dr. Stephen D. Gantz, CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO Professor of Information Assurance The Graduate School University of Maryland University College stephen.gantz () faculty umuc edu On Jul 22, 2014, at 1:30 PM, Duane Howard <duane.security () gmail com> wrote: Hey folks, I've got a need to move HOME_NET to being passed on the command line using -S HOME_NET="blah" and I'm wondering if this will internally be treated as a 'var' or 'ipvar' and whether it matters at all. Is there a mechanism to say -S 'ipvar HOME_NET'='blah'? ./d ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- -S and ipvar vs. var Duane Howard (Jul 22)
- Re: -S and ipvar vs. var Steve Gantz (Jul 22)
- Re: -S and ipvar vs. var Duane Howard (Jul 22)
- Re: -S and ipvar vs. var Joel Esler (jesler) (Jul 22)
- Re: -S and ipvar vs. var Duane Howard (Jul 22)
- Re: -S and ipvar vs. var Joel Esler (jesler) (Jul 22)
- Re: -S and ipvar vs. var Duane Howard (Jul 23)
- Re: -S and ipvar vs. var Duane Howard (Jul 22)
- Re: -S and ipvar vs. var Steve Gantz (Jul 22)