Re: What is the difference in using IPVAR and VAR ?

[Mike Lococo <mikelococo () gmail com>]

On 08/17/2011 10:57 PM, Michael Steele wrote:
> If I have ipv6 and ipv4 activated would I use ipvar and not var in the
> snort.conf?- Snort would be IPV6 compiled
>
> If I only have ipv4 activated,  would I use var in the snort.conf, or does
> it matter if I use ipvar? - Snort would not be IPV6 compiled

ipvar is a newer data-type that supports both IPv4 and IPv6 addresses. 
As long as snort is compiled with IPv6 support, ipvar is safe to use 
regardless of whether your site is primarily seeing v4 or v6 traffic 
(it's worth noting that you almost certainly have a tiny bit of v6 
traffic at your site even if you don't think you do).  However, if snort 
isn't compiled with v6 support, it will crash on startup due to not 
recognizing the ipvar keyword.

I'm not aware of any other issues or performance differences, I think 
ipvar is designed to completely replace var and we're in the transition 
period where both are supported.

If you do activate IPv6, remember that the db schema doesn't support v6 
events, so barnyard will just throw them away if you're using db output. 
  You'll have to review v6 events via output to text files or syslog or 
something.

Cheers,
Mike Lococo

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!