Snort mailing list archives
Re: $eth1_ADDRESS still a valid variable in 2.9.7.0?
From: "Starner, Mark" <mark.starner () unisys com>
Date: Tue, 17 Feb 2015 17:54:29 +0000
Ok.. I get that…. So I come back to my original question.
How do I get $ethX_ADDRESS variables assigned if –enable-sourcefire is configured and I am not running snort as root? I
thought running as root was a bad idea?
Here is the section of code from parser.c
#ifndef SOURCEFIRE
/* If snort is not run with root privileges, no interfaces will be defined,
* so user beware if an iface_ADDRESS variable is used in snort.conf and
* snort is not run as root (even if just in read mode) */
DefineAllIfaceVars(sc);
#endif
Is there another way to enable that?
Curious what the thinking is here?
Thanks
Mark
From: Joel Esler (jesler) [mailto:jesler () cisco com]
Sent: Tuesday, February 17, 2015 12:21 PM
To: Starner, Mark
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0?
Unfortunately that disables everything that we test against with the ruleset. I suggest you not do that.
On Feb 17, 2015, at 12:03 PM, Starner, Mark <mark.starner () unisys com <mailto:mark.starner () unisys com> > wrote:
I retract my question. I configured “—enable-sourcefire” for the first time and found the comment in parser.c that said
the $IF_ADDRESS variables are not defined if Sourcefire is enabled and snort is not running as root. So I recompiled
without “—enable-sourcefire” and all is well.
Maybe this will help anyone else who comes across this.
Mark
From: Starner, Mark [mailto:mark.starner () unisys com]
Sent: Tuesday, February 17, 2015 11:33 AM
To: snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0?
I use $eth1_ADDRESS in one of my local rules, and when snort 2.9.7.0 starts, it says:
ERROR: rules/local.rules(8) Undefined variable in the string: $eth1_ADDRESS.
I think I encountered this with a previous upgrade, but I don’t recall how I resolved it.
So
1) Is this still valid with 2.9.7.0?
2) If Yes, then what would cause this NOT to be defined (yes, I verified I have an eth1 and it has an IP address
defined.
Thanks
Mark
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631
<http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________>
&iu=/4140/ostg.clktrk_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Attachment:
smime.p7s
Description:
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- $eth1_ADDRESS still a valid variable in 2.9.7.0? Starner, Mark (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Starner, Mark (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Joel Esler (jesler) (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Starner, Mark (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Al Lewis (allewi) (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? James Lay (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Starner, Mark (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Starner, Mark (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Joel Esler (jesler) (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Starner, Mark (Feb 17)