[Snort-devel] [PATCH] Remove the variable modifiers section in the manual.

Joshua Kinard kumba at ...2185...
Mon Dec 26 19:24:51 EST 2011

I checked again to see if the bash-like variable modifiers work in Snort
with the newer releases.  They do not:

portvar HTTP_PORT 80

alert tcp any any -> any $(HTTP_PORT?FOOBAR) (msg:"HTTP GET for ~/hello";
flow:established,to_server; content:"GET"; http_method; content:"/~hello";
http_uri; sid:42000001; rev:1; classtype:misc-activity; )

$ ~/bin/snort -c local.rules -A console -k none -r tcp-http-tiny2.pcap -q
ERROR: local.rules(216) ***PortVar Lookup failed on '$(HTTP_PORT?FOOBAR)'.
Fatal Error, Quitting..

So, lets get rid of that section.

 snort_manual.tex |   46 ----------------------------------------------
 1 file changed, 46 deletions(-)


Joshua Kinard
kumba at ...2185...
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: snort-2.9.2-kill-variable-modifiers.patch
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20111226/0992d367/attachment.ksh>

More information about the Snort-devel mailing list