Snort mailing list archives

Re: Snort 2.9.0.3 Now Available

From: vincent () cojot name
Date: Tue, 4 Jan 2011 10:27:33 +0100 (CET)


Hi Ryan,

First of all, thank you -very- much for all of this insightful 
information, it was exactly what I was looking for.

On Mon, 3 Jan 2011, Ryan Jordan wrote:

Here's a few pieces of info that could help:

- The RPMs we ship on snort.org are not compiled with IPv6 support. It
might be time to re-visit the default options in the RPM. There's a
lot of useful stuff that's not compiled by default.


I'm only building rpm's for EL5&clones but my spec file is only very 
lightly modified and I try to stay as close as possible from that on 
snort.org. Do you think it might be a good idea to change the default 
BASE_CONFIG to something like the following?

[....previous compile-time options...]

              --enable-decoder-preprocessor-rules --enable-targetbased \
              --enable-ipv6 \
              --enable-gre \
              --enable-mpls \
              --enable-ppm \
              --enable-perfprofiling \
              --enable-active-response \
              --enable-normalizer \
              --enable-reload \
              --enable-react \
              --enable-zlib \

- When IPv6 support is enabled, "var" maps to "ipvar" for backwards
compatability. Enabling IPv6 will not break old confs.


Ok, that's very very good. I will then make --enable-ipv6 the default for 
all my .el5 builds.

- The conf shipped with Snort uses "var" to maintain compatibility
with both flavors of Snort.


Well, that's the issue I had with the 2.9.0.3 source release of snort.. 
the sample snort.conf under etc had 'ipvar ...', not 'var ...'

There was a question about why the IPv4 version of the conf parser
doesn't recognize "ipvar". The "ipvar" keyword was added with the rest
of the IPv6 code, and parses IPv6 addresses while "var" does not. This
stuff is only defined when Snort is compiled with "--enable-ipv6".

I agree that the optional nature of IPv6 support creates some
usability issues. That sounds like something we can address in the
future.

-Ryan


Thank you very much,

Vincent

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Snort 2.9.0.3 Now Available Joel Esler (Jan 03)
- Re: Snort 2.9.0.3 Now Available Ryan Jordan (Jan 03)
  - Re: Snort 2.9.0.3 Now Available vincent (Jan 04)
    - Re: Snort 2.9.0.3 Now Available Ryan Jordan (Jan 04)
    - Re: Snort 2.9.0.3 Now Available vincent (Jan 07)
    - Re: Snort 2.9.0.3 Now Available anvin igcar (Jan 07)
- <Possible follow-ups>
- Re: Snort 2.9.0.3 Now Available vincent (Jan 03)