Re: Snort 2.9.0.3 Now Available

[Ryan Jordan <ryan.jordan () sourcefire com>]

On Tue, Jan 4, 2011 at 4:27 AM,  <vincent () cojot name> wrote:
> Hi Ryan,
>
> First of all, thank you -very- much for all of this insightful information,
> it was exactly what I was looking for.
>
> On Mon, 3 Jan 2011, Ryan Jordan wrote:
>
> > Here's a few pieces of info that could help:
> >
> > - The RPMs we ship on snort.org are not compiled with IPv6 support. It
> > might be time to re-visit the default options in the RPM. There's a
> > lot of useful stuff that's not compiled by default.
>
> I'm only building rpm's for EL5&clones but my spec file is only very lightly
> modified and I try to stay as close as possible from that on snort.org. Do
> you think it might be a good idea to change the default BASE_CONFIG to
> something like the following?
>
> [....previous compile-time options...]
> >              --enable-decoder-preprocessor-rules --enable-targetbased \
> >              --enable-ipv6 \
> >              --enable-gre \
> >              --enable-mpls \
> >              --enable-ppm \
> >              --enable-perfprofiling \
> >              --enable-active-response \
> >              --enable-normalizer \
> >              --enable-reload \
> >              --enable-react \
> >              --enable-zlib \

That's pretty close to the set of flags I use personally (minus the
debug stuff). If you turn on --enable-zlib, make sure the spec file
gets updated to require zlib.

> > - When IPv6 support is enabled, "var" maps to "ipvar" for backwards
> > compatability. Enabling IPv6 will not break old confs.
>
> Ok, that's very very good. I will then make --enable-ipv6 the default for
> all my .el5 builds.
>
> > - The conf shipped with Snort uses "var" to maintain compatibility
> > with both flavors of Snort.
>
> Well, that's the issue I had with the 2.9.0.3 source release of snort.. the
> sample snort.conf under etc had 'ipvar ...', not 'var ...'

You're right, that got changed and I didn't notice. We've got a bug
filed about this now, so it should be fixed next release. In the
meantime, workarounds include:

1) Recompile Snort with --enable-ipv6
2) Change instances of 'ipvar' and 'portvar' back to 'var'.

Thanks for pointing out the problem.

> > There was a question about why the IPv4 version of the conf parser
> > doesn't recognize "ipvar". The "ipvar" keyword was added with the rest
> > of the IPv6 code, and parses IPv6 addresses while "var" does not. This
> > stuff is only defined when Snort is compiled with "--enable-ipv6".
> >
> > I agree that the optional nature of IPv6 support creates some
> > usability issues. That sounds like something we can address in the
> > future.
> >
> > -Ryan
>
> Thank you very much,
>
> Vincent

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users