Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort++: Specifying more than one daq vars

From: Russ <rucombs () cisco com>
Date: Wed, 29 Apr 2015 09:06:47 -0400
Thanks.  I've got a fix for this that should be in tomorrow's push. It 
will take the this form:

     daq = { vars = 'name1=value1, name2=value2' }

since the DAQ parameters aren't iterable.

On 4/29/15 6:32 AM, Sancho Panza wrote:

Hello!

Maybe this problem occurs also elsewhere, but I stumbled across it while
trying to configure the nfq daq module for use in inline mode:

The nfq module accepts several custom parameters like "buffer_size" and
"proto". If you want to set them in your snort.lua, you have to specify
them with the "var" key in the daq table.

In my test setup, I wanted to configure these two like so:

daq =
    {
      ...,
      var = 'buffer_size=1234',
      var = 'proto=ip*'
    }

Alas, this doesn't work, probably because the second definition of "var"
overwrites the first one.

It only works if I specify each of them on the command line with the
--daq-var option. This is a bit annoying, as it forces you to mix
command line configuration with config file configuration.

How about:

daq =
    {
      ...,
      vars =
        {
          buffer_size = 1234,
          proto = 'ip*'
        }
    }


Thanks

Sancho

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!



------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: