[Snort-users] Does anyone use '-S'?

Phil Wood cpw at ...440...
Thu Nov 30 17:23:29 EST 2000


Folks,

I wanted to change a variable name 'LOG' defined in a '-c' file from the one
defined:

  var LOG /data/log

to LOG=/tmp/log

The man page says:

       -S n=v Set variable name "n" to value "v".  This is useful
              for setting the value of a defined variable name in
              a Snort rules file  to  a  command  line  specified
              value.   For  instance,  if  you  define a HOME_NET
              variable name inside of a Snort rules file, you can
              set  this  value  from it's predefined value at the
              command line.

So, I performed the following:

  # snort -S LOG=/tmp/log -c rulesfile ...

Lo and behold, LOG was set to /tmp/log, and then purged and set to the
definition in the rulesfile (/data/log).  I watched it happen using
gdb.

By reading the snort.c source, I see that VarDefine is called immediately
while the command line is being parsed.  Then, after all switches have
been accomodated, the routine ParseRulesFile is called, just before
"Initialization Complete".

It turns out that VarDefine is called under ParseRulesFile, as it should
be.  However, if it finds a variable already defined, it does a 'free(p->value)'
and then puts replaces it with the one in the configuration file.

This seems to be a problem, at least with:

-*> Snort! <*-
Version 1.7-beta6

Thanks,

Phil



More information about the Snort-users mailing list