Snort mailing list archives
Re: frag3 bind_to and ipvar not working
From: "Lee Clemens" <snort () leeclemens net>
Date: Sat, 13 Mar 2010 11:02:15 -0500
Hi Alex, It was working this way in 2.8.4.1. I found it very useful since frag3 linux policy and stream5 linux policy tend to use the same IPs, SSL rules use the same ports as the ssl preprocessor to look for ssl traffic, etc. -Lee -----Original Message----- From: Alex Tatistcheff [mailto:alex.tatistcheff () gmail com] Sent: Saturday, March 13, 2010 4:52 AM Lee, Unless something has radically changed lately you can't use variables in preprocessors to define ports and IP addresses. Variables work for rules but for preprocessors try using the actual IPs instead. Alex Tatistcheff alext () pobox com The most terrifying words in the English language are, "I'm from the government and I'm here to help." -Ronald Reagan On Fri, Mar 12, 2010 at 7:21 PM, Lee Clemens <snort () leeclemens net> wrote: Hello, I am using Snort 2.5.8.3 on Linux kernel 2.6.x. My snort.conf contains (was running on 2.8.4.1): var LINUX_SERVERS [192.168.1.2,192.168.1.3] preprocessor frag3_global: max_frags 65536, \ prealloc_frags 65536, \ memcap 524288 preprocessor frag3_engine: policy linux \ bind_to $LINUX_SERVERS \ detect_anomalies However, starting snort fails each time on the frag3_engine line. I have tried using slash-notation for each IP, and using ipvar instead of var. Each time I get the error: Unable to process the IP address: LINUX_SERVERS. If I wrap use $(LINUX_SERVERS) or [$LINUX_SERVERS], etc, I receive the same error but with or without brackets. Using var and $(LINUX_SERVERS:?linux not defined), I receive the error "linux not defined". Any help would be greatly appreciated. -Lee ---------------------------------------------------------------------------- -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- frag3 bind_to and ipvar not working Lee Clemens (Mar 12)
- Re: frag3 bind_to and ipvar not working Alex Tatistcheff (Mar 13)
- Re: frag3 bind_to and ipvar not working Lee Clemens (Mar 13)
- Re: frag3 bind_to and ipvar not working Joel Esler (Mar 13)
- Re: frag3 bind_to and ipvar not working Lee Clemens (Mar 13)
- Re: frag3 bind_to and ipvar not working Alex Tatistcheff (Mar 13)
- Re: frag3 bind_to and ipvar not working Lee Clemens (Mar 13)
- Re: frag3 bind_to and ipvar not working Alex Tatistcheff (Mar 13)