[Snort-users] Does anyone use '-S'?
cpw at ...440...
Thu Nov 30 17:23:29 EST 2000
I wanted to change a variable name 'LOG' defined in a '-c' file from the one
var LOG /data/log
The man page says:
-S n=v Set variable name "n" to value "v". This is useful
for setting the value of a defined variable name in
a Snort rules file to a command line specified
value. For instance, if you define a HOME_NET
variable name inside of a Snort rules file, you can
set this value from it's predefined value at the
So, I performed the following:
# snort -S LOG=/tmp/log -c rulesfile ...
Lo and behold, LOG was set to /tmp/log, and then purged and set to the
definition in the rulesfile (/data/log). I watched it happen using
By reading the snort.c source, I see that VarDefine is called immediately
while the command line is being parsed. Then, after all switches have
been accomodated, the routine ParseRulesFile is called, just before
It turns out that VarDefine is called under ParseRulesFile, as it should
be. However, if it finds a variable already defined, it does a 'free(p->value)'
and then puts replaces it with the one in the configuration file.
This seems to be a problem, at least with:
-*> Snort! <*-
More information about the Snort-users