Snort mailing list archives
Re: What is the difference in using IPVAR and VAR ?
From: Mike Lococo <mikelococo () gmail com>
Date: Thu, 18 Aug 2011 18:14:06 -0400
On 08/18/2011 05:38 PM, Michael Steele wrote:
If I have ipv6 and ipv4 enabled, then I would need to compile Snort with ipv6 and use ipvar?
Yes.
If I have ipv4 installed I could still use ipvar as long as I have Snort compiled for ipv6, even though ipv6 was not installed on the box?
Probably, I haven't tested this.
It's a little confusing because if I use: ipvar RULE_PATH d:\winids\snort\rules
This shows a deep confusion about all snort variable types, not just the
var/ipvar transition. RULE_PATH doesn't actually contain an ip address,
it contains the string "d:\winids\snort\rules" so you cannot not use an
ipvar here under any circumstances.
Summarizing section 2.1.2 of the snort manual, Snort config files
support more than one type of variable:
- ipvar: Can only be used to represent ip-addresses or lists/ranges
of ip-addresses
- portvar: Can only be used to represent port-numbers or lists/ranges
or port-numbers.
- var: An ambiguous keyword that depending on context can be used
to represent ip-addrs (or lists/ranges of ip-addrs),
port-numbers (or lists/ranges of port-numbers), or it can be
used to represent a simple text-string.
In older versions of Snort, every type of variable was declared with the
"var" keyword. New keywords "ipvar" and "portvar" were introduced at
some point to address those commonly used types. "var" is now needed
only for declaring string-type variables, but it is still possible (for
now) to use "var" to declare variables containing ports or ip-addrs.
This ability is provided for primarily for backwards compatibility with
old config-files that still use var to declare everything.
What you should do is:
- If you can get ipv6 support compiled in, use the right keyword for
each variable type.
- If you can't get ipv6 support compiled in, use the var keyword for
strings and ip-addrs, and use the portvar keyword for port-numbers.
I get an error and have to go back to: var RULE_PATH d:\winids\snort\rules
"var" is always the correct way to declare string-type variables like RULE_PATH. Cheers, Mike Lococo ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- What is the difference in using IPVAR and VAR ? Michael Steele (Aug 17)
- Re: What is the difference in using IPVAR and VAR ? Mike Lococo (Aug 18)
- Re: What is the difference in using IPVAR and VAR ? Michael Steele (Aug 18)
- Re: What is the difference in using IPVAR and VAR ? Mike Lococo (Aug 18)
- Re: What is the difference in using IPVAR and VAR ? Michael Steele (Aug 18)
- Re: What is the difference in using IPVAR and VAR ? Mike Lococo (Aug 18)
- Re: What is the difference in using IPVAR and VAR ? Michael Steele (Aug 18)
- Re: What is the difference in using IPVAR and VAR ? Mike Lococo (Aug 18)