Snort mailing list archives
Re: $eth1_ADDRESS still a valid variable in 2.9.7.0?
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 17 Feb 2015 13:51:58 -0700
On 2015-02-17 01:32 PM, Al Lewis (allewi) wrote:
Can you send us
the conf file you are using? Or how you are defining the variables?
Thanks! Albert Lewis QA Software Engineer
SOURCEFIRE, Inc. now part of CISCO
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112 Email:
allewi () cisco com
FROM: Starner, Mark
[mailto:mark.starner () unisys com]
SENT: Tuesday, February 17, 2015
12:54 PM
TO: snort-users () lists sourceforge net SUBJECT: Re:
[Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0?
Ok.. I get that…. So I come back to my original question.
How do I
get $ethX_ADDRESS variables assigned if -enable-sourcefire is configured and I am not running snort as root? I thought running as root was a bad idea?
Here is the section of code from parser.c #ifndef
SOURCEFIRE
/* If snort is not run with root privileges, no
interfaces will be defined,
* so user beware if an iface_ADDRESS
variable is used in snort.conf and
* snort is not run as root
(even if just in read mode) */
DefineAllIfaceVars(sc);
#endif
Is there another way to enable that? Curious what the
thinking is here?
Thanks Mark FROM: Joel Esler
(jesler) [mailto:jesler () cisco com [9]]
SENT: Tuesday, February 17,
2015 12:21 PM
TO: Starner, Mark CC:
snort-users () lists sourceforge net [10]
SUBJECT: Re: [Snort-users]
$eth1_ADDRESS still a valid variable in 2.9.7.0?
Unfortunately
that disables everything that we test against with the ruleset. I suggest you not do that.
On Feb 17, 2015, at 12:03 PM, Starner,
Mark <mark.starner () unisys com [1]> wrote:
I retract my question.
I configured "--enable-sourcefire" for the first time and found the comment in parser.c that said the $IF_ADDRESS variables are not defined if Sourcefire is enabled and snort is not running as root. So I recompiled without "--enable-sourcefire" and all is well.
Maybe
this will help anyone else who comes across this.
Mark
FROM: Starner, Mark [mailto:mark.starner () unisys com [2]]
SENT:
Tuesday, February 17, 2015 11:33 AM
TO:
snort-users () lists sourceforge net [3]
SUBJECT: [Snort-users]
$eth1_ADDRESS still a valid variable in 2.9.7.0?
I use
$eth1_ADDRESS in one of my local rules, and when snort 2.9.7.0 starts, it says:
ERROR: rules/local.rules(8) Undefined variable in the
string: $eth1_ADDRESS.
I think I encountered this with a
previous upgrade, but I don't recall how I resolved it.
So
1) Is this still valid with 2.9.7.0? 2) If Yes, then what
would cause this NOT to be defined (yes, I verified I have an eth1 and it has an IP address defined.
Thanks Mark
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App
Integration & more
Get technology previously reserved for
billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________ [4]
Snort-users mailing list Snort-users () lists sourceforge net
[5]
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users [6]
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users [7]
Please visit http://blog.snort.org [8] to stay current on all
the latest Snort news! Define it at the start of local.rules: ipvar eth1_ADDRESS <ip.address> James Links: ------ [1] mailto:mark.starner () unisys com [2] mailto:mark.starner () unisys com [3] mailto:snort-users () lists sourceforge net [4] http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________ [5] mailto:Snort-users () lists sourceforge net [6] https://lists.sourceforge.net/lists/listinfo/snort-users [7] http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users [8] http://blog.snort.org [9] mailto:jesler () cisco com [10] mailto:snort-users () lists sourceforge net
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- $eth1_ADDRESS still a valid variable in 2.9.7.0? Starner, Mark (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Starner, Mark (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Joel Esler (jesler) (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Starner, Mark (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Al Lewis (allewi) (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? James Lay (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Starner, Mark (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Starner, Mark (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Joel Esler (jesler) (Feb 17)
- Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? Starner, Mark (Feb 17)