[Snort-devel] snort-1.81-beta5: eth0_ADDRESS substitution

Sven Carstens s.carstens at ...578...
Tue Jul 31 05:47:09 EDT 2001


Am Sun, 30 Jul 2001 schrieb Martin Roesch <roesch at ...402...>:
> Try 'var HOME_NET $eth0_address', that should work.  Additionally,
> please update to http://www.snort.org/files/snort-1.8.1-beta5.tar.gz,
> that's a much better version than 1.8-RELEASE.

Been there, done that and goofed again!

Am Sun, 30 Jul 2001 schrieb Fyodor <fygrave at ...1...>:
> hmm.. shouldn't it be eth0:0_ADDRESS? :) also is there any chance to
> rebuild snort with debugging options and show us the output? :)

I grabbed 1.8.1-beta5 and build it with debug output enabled.
Installed it on my development machine with network setup as follows

-------------------------------------------------------
eth0      Link encap:Ethernet  HWaddr 00:80:C8:F5:83:7C
          inet addr:192.168.0.107  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::280:c8ff:fef5:837c/10 Scope:Link
          inet6 addr: fe80::80:c8f5:837c/10 Scope:Link
-------------------------------------------------------

I assume that the ExpandVars bit is relevant.
snort.conf is only one line

-------------------------------------------------------
var HOME_NET $eth0_address
-------------------------------------------------------

debug output (preprocessors snipped) is:

-------------------------------------------------------
Parsing Rules file snort.conf
 
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
initial idx set to '
'
[*] Processing rule: var HOME_NET $eth0_address
 
ExpandVars, Before: var HOME_NET $eth0_address
ExpandVars, After: var HOME_NET 216.250.40.64/4.0.0.0
mstring.c:110: [*] Splitting string: var HOME_NET 216.250.40.64/4.0.0.0
mstring.c:111: curr_str = 0
mstring.c:138: max_strs = 9  curr_str = 0
mstring.c:156: Allocating 4 bytes for token mstring.c:170: tok[0]: var
mstring.c:175: curr_str = 1
mstring.c:177: max_strs = 9  curr_str = 1
mstring.c:183: Checking if curr_str (1) >= max_strs (9)
mstring.c:156: Allocating 9 bytes for token mstring.c:170: tok[1]: HOME_NET
mstring.c:175: curr_str = 2
mstring.c:177: max_strs = 9  curr_str = 2
mstring.c:183: Checking if curr_str (2) >= max_strs (9)
mstring.c:248: Allocating 22 bytes for last token mstring.c:258: tok[2]: 216.250.40.64/4.0.0.0
mstring.c:263: mSplit got 3 tokens!
[*] Rule start
Rule type: Variable
0 Snort rules read...
0 Option Chains linked into 0 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
-------------------------------------------------------

CU Sven





More information about the Snort-devel mailing list