[Snort-devel] [PATCH]: snort_manual.tex: Remove 'Variable Modifiers' section as it doesn't work

Joshua.Kinard at ...3108... Joshua.Kinard at ...3108...
Wed May 25 20:58:27 EDT 2011


Hi snort-devel,

On page 28 and 29 of the 2.9.0.5 manual, the use of bash-style variable
modifiers is referenced.  However, this specific syntax is not
functional in Snort.  Using the exact sample given on page 29:

ipvar MY_NET 192.168.1.0/24
log tcp any any -> $(MY_NET:?MY_NET is undefined!) 23

I receive this when attempting to run Snort:

ERROR: local.rules(243) Undefined variable in the string:
$(MY_NET:?MY_NET.
Fatal Error, Quitting..

Attempting to just use plain $(MY_NET) still errors:
ERROR: local.rules(243) Undefined variable in the string: $(MY_NET).
Fatal Error, Quitting..


Same for portvars:
portvar NINJA_PORT 42
alert tcp any any -> any $(NINJA_PORT)

ERROR: local.rules(243) ***PortVar Lookup failed on '$(NINJA_PORT)'.
Fatal Error, Quitting..


I really don't see this as a widely-used feature.  I don't ever recall
seeing it at all in VRT or ET rulesets, though I'll admit I haven't
actually grepped for its use.  The attached patch proposes to delete
this section from the manual.  I did not check to see if there is any
dead code in Snort itself that requires removal as well.


Cheers!,

--J

-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort-2905-manual-del-advanced-var.patch
Type: application/octet-stream
Size: 1607 bytes
Desc: snort-2905-manual-del-advanced-var.patch
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110525/629a69a2/attachment.obj>


More information about the Snort-devel mailing list