Snort mailing list archives
Re: Snort 2.9.0.3 Now Available
From: Ryan Jordan <ryan.jordan () sourcefire com>
Date: Mon, 3 Jan 2011 14:43:05 -0500
Here's a few pieces of info that could help: - The RPMs we ship on snort.org are not compiled with IPv6 support. It might be time to re-visit the default options in the RPM. There's a lot of useful stuff that's not compiled by default. - When IPv6 support is enabled, "var" maps to "ipvar" for backwards compatability. Enabling IPv6 will not break old confs. - The documentation (both Snort Manual and README.variables) notes that "ipvar" only works with IPv6 support enabled, and that you should replace it with a normal "var" in non-IPv6 installations. - The conf shipped with Snort uses "var" to maintain compatibility with both flavors of Snort. There was a question about why the IPv4 version of the conf parser doesn't recognize "ipvar". The "ipvar" keyword was added with the rest of the IPv6 code, and parses IPv6 addresses while "var" does not. This stuff is only defined when Snort is compiled with "--enable-ipv6". I agree that the optional nature of IPv6 support creates some usability issues. That sounds like something we can address in the future. -Ryan On Mon, Jan 3, 2011 at 9:21 AM, Joel Esler <jesler () sourcefire com> wrote:
I put in a bug for this to correct the issue. On Dec 29, 2010, at 12:40 PM, vincent () cojot name wrote:On Tue, 28 Dec 2010, James Kaufman wrote:I think the issue here is that the documentation says to use 'ipvar', rather than 'var'. Yet ipvar is invalid in the snort.conf if you don't enable ipv6. That just seems wrong somehow. Why is the parser for ipv4 installations unable to understand the ipvar token? JimYes, I agree with you James. Also, I think, from an outsider's point of view, there is a total of 4 different cases to be handled: - A) Non-IPV6-enabled snort + snort.conf with tokens like 'var HOME_NET..' * This works by default but the config file's syntax is wrong when IPV6 is enabled (ipvar should be used instead). I guess most users are running that kind of config. - B) Non-IPV6-enabled snort + snort.conf with tokens like 'ipvar HOME_NET..' * non-IPV6 snort could be modified to treat these like 'var' since we already know that they are related to networks.. - C) IPV6-enabled snort + snort.conf with tokens like 'ipvar HOME_NET..' * Again, this works by design/default. I guess most users with an IPV6 snort are running this kind of config. - D) Non-IPV6-enabled snort + snort.conf with tokens like 'var HOME_NET..' * This is, IMHO, the most diffult case to handle. This case looks like config rules from an older snort but it could also be a configuration error (i.e: the user meant a 'var' but she used an 'ipvar', or the opposite. So in order to make things easier for the users, something would need to be implemented for cases B) and D) (for D), perhaps snort could simply abort and warn the user if a 'var' looks like what should be an 'ipvar'). Of course, that's just my 2c, I have very very limited knowledge of how snort actually works... Vincent ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort 2.9.0.3 Now Available Joel Esler (Jan 03)
- Re: Snort 2.9.0.3 Now Available Ryan Jordan (Jan 03)
- Re: Snort 2.9.0.3 Now Available vincent (Jan 04)
- Re: Snort 2.9.0.3 Now Available Ryan Jordan (Jan 04)
- Re: Snort 2.9.0.3 Now Available vincent (Jan 07)
- Re: Snort 2.9.0.3 Now Available anvin igcar (Jan 07)
- Re: Snort 2.9.0.3 Now Available vincent (Jan 04)
- Re: Snort 2.9.0.3 Now Available Ryan Jordan (Jan 03)
- <Possible follow-ups>
- Re: Snort 2.9.0.3 Now Available vincent (Jan 03)