Snort mailing list archives
Re: $eth1_ADDRESS still a valid variable in 2.9.7.0?
From: "Starner, Mark" <mark.starner () unisys com>
Date: Tue, 17 Feb 2015 17:54:29 +0000
Ok.. I get that…. So I come back to my original question. How do I get $ethX_ADDRESS variables assigned if –enable-sourcefire is configured and I am not running snort as root? I thought running as root was a bad idea? Here is the section of code from parser.c #ifndef SOURCEFIRE /* If snort is not run with root privileges, no interfaces will be defined, * so user beware if an iface_ADDRESS variable is used in snort.conf and * snort is not run as root (even if just in read mode) */ DefineAllIfaceVars(sc); #endif Is there another way to enable that? Curious what the thinking is here? Thanks Mark From: Joel Esler (jesler) [mailto:jesler () cisco com] Sent: Tuesday, February 17, 2015 12:21 PM To: Starner, Mark Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0? Unfortunately that disables everything that we test against with the ruleset. I suggest you not do that. On Feb 17, 2015, at 12:03 PM, Starner, Mark <mark.starner () unisys com <mailto:mark.starner () unisys com> > wrote: I retract my question. I configured “—enable-sourcefire” for the first time and found the comment in parser.c that said the $IF_ADDRESS variables are not defined if Sourcefire is enabled and snort is not running as root. So I recompiled without “—enable-sourcefire” and all is well. Maybe this will help anyone else who comes across this. Mark From: Starner, Mark [mailto:mark.starner () unisys com] Sent: Tuesday, February 17, 2015 11:33 AM To: snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> Subject: [Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0? I use $eth1_ADDRESS in one of my local rules, and when snort 2.9.7.0 starts, it says: ERROR: rules/local.rules(8) Undefined variable in the string: $eth1_ADDRESS. I think I encountered this with a previous upgrade, but I don’t recall how I resolved it. So 1) Is this still valid with 2.9.7.0? 2) If Yes, then what would cause this NOT to be defined (yes, I verified I have an eth1 and it has an IP address defined. Thanks Mark ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631 <http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________> &iu=/4140/ostg.clktrk_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Attachment:
smime.p7s
Description:
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- $eth1_ADDRESS still a valid variable in 2.9.7.0? Starner, Mark (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Starner, Mark (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Joel Esler (jesler) (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Starner, Mark (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Al Lewis (allewi) (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? James Lay (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Starner, Mark (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Starner, Mark (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Joel Esler (jesler) (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Starner, Mark (Feb 17)