Snort mailing list archives
Re: frag3 bind_to and ipvar not working
From: Alex Tatistcheff <alex.tatistcheff () gmail com>
Date: Sat, 13 Mar 2010 02:51:38 -0700
Lee, Unless something has radically changed lately you can't use variables in preprocessors to define ports and IP addresses. Variables work for rules but for preprocessors try using the actual IPs instead. Alex Tatistcheff alext () pobox com The most terrifying words in the English language are, "I'm from the government and I'm here to help." -Ronald Reagan On Fri, Mar 12, 2010 at 7:21 PM, Lee Clemens <snort () leeclemens net> wrote:
Hello,
I am using Snort 2.5.8.3 on Linux kernel 2.6.x.
My snort.conf contains (was running on 2.8.4.1):
var LINUX_SERVERS [192.168.1.2,192.168.1.3]
preprocessor frag3_global: max_frags 65536, \
prealloc_frags 65536, \
memcap 524288
preprocessor frag3_engine: policy linux \
bind_to $LINUX_SERVERS \
detect_anomalies
However, starting snort fails each time on the frag3_engine line.
I have tried using slash-notation for each IP, and using ipvar instead of
var.
Each time I get the error: Unable to process the IP address: LINUX_SERVERS.
If I wrap use $(LINUX_SERVERS) or [$LINUX_SERVERS], etc, I receive the same
error but with or without brackets.
Using var and $(LINUX_SERVERS:?linux not defined), I receive the error
"linux not defined".
Any help would be greatly appreciated.
-Lee
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- frag3 bind_to and ipvar not working Lee Clemens (Mar 12)
- Re: frag3 bind_to and ipvar not working Alex Tatistcheff (Mar 13)
- Re: frag3 bind_to and ipvar not working Lee Clemens (Mar 13)
- Re: frag3 bind_to and ipvar not working Joel Esler (Mar 13)
- Re: frag3 bind_to and ipvar not working Lee Clemens (Mar 13)
- Re: frag3 bind_to and ipvar not working Alex Tatistcheff (Mar 13)
- Re: frag3 bind_to and ipvar not working Lee Clemens (Mar 13)
- Re: frag3 bind_to and ipvar not working Alex Tatistcheff (Mar 13)