Snort mailing list archives

Re: -S and ipvar vs. var

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Tue, 22 Jul 2014 22:58:23 +0000

Well, in recent versions of Snort, there is no such thing as “Var” for an IP or port variable.  just portvar and ipvar



On Jul 22, 2014, at 6:19 PM, Duane Howard <duane.security () gmail com<mailto:duane.security () gmail com>> wrote:

Thanks Joel,

I'm aware of -S, my real question is around whether -S is (internally) treated like 'var' or 'ipvar', and if it's 'var' 
is there a notable downside to using 'var' vs. 'ipvar' in this context?

./d


On Tue, Jul 22, 2014 at 2:57 PM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote:
Wrote about this a long time ago on my personal blog:

http://blog.joelesler.net/2010/03/how-to-specify-snort-variable-from.html

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

On Jul 22, 2014, at 3:07 PM, Duane Howard <duane.security () gmail com<mailto:duane.security () gmail com>> wrote:

My reading of the -h description is that it's not equivalent to defining HOME_NET:
-h home-net
              Set  the  "home  network" to home-net.  The format of this address variable is a network prefix plus a 
CIDR block, such as 192.168.1.0/24<http://192.168.1.0/24>.  Once this variable is set, all decoded packet logging
              will be done relative to the home network address space.  This is useful because of the way that Snort 
formats its ASCII log data.  With this value set to the local network, all decoded  output
              will  be  logged into decode directories with the address of the foreign computer as the directory name, 
which is very useful during traffic analysis. This option does not change "$HOME_NET" in
              IDS mode.

I would like to define (and currently do) HOME_NET as an ipvar, but I'm not sure how to do so from the command line if 
that's at all possible...

./d


On Tue, Jul 22, 2014 at 11:27 AM, Steve Gantz <stephen.gantz () faculty umuc edu<mailto:stephen.gantz () faculty umuc 
edu>> wrote:
Current Snort manual says all IP variables are to be specified with ipvar, so I would expect that would include 
HOME_NET. I think you want to be using -h as the command line option to pass the value of HOME_NET.


Dr. Stephen D. Gantz, CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO
Professor of Information Assurance
The Graduate School
University of Maryland University College
stephen.gantz () faculty umuc edu<mailto:stephen.gantz () faculty umuc edu>


On Jul 22, 2014, at 1:30 PM, Duane Howard <duane.security () gmail com<mailto:duane.security () gmail com>> wrote:

Hey folks,

I've got a need to move HOME_NET to being passed on the command line using -S HOME_NET="blah" and I'm wondering if this 
will internally be treated as a 'var' or 'ipvar' and whether it matters at all. Is there a mechanism to say -S 'ipvar 
HOME_NET'='blah'?

./d
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

-S and ipvar vs. var Duane Howard (Jul 22)
- Re: -S and ipvar vs. var Steve Gantz (Jul 22)
  - Re: -S and ipvar vs. var Duane Howard (Jul 22)
    - Re: -S and ipvar vs. var Joel Esler (jesler) (Jul 22)
    - Re: -S and ipvar vs. var Duane Howard (Jul 22)
    - Re: -S and ipvar vs. var Joel Esler (jesler) (Jul 22)
    - Re: -S and ipvar vs. var Duane Howard (Jul 23)