[Snort-users] frag3 bind_to and ipvar not working

Alex Tatistcheff alex.tatistcheff at ...11827...
Sat Mar 13 04:51:38 EST 2010


Lee,

Unless something has radically changed lately you can't use variables in
preprocessors to define ports and IP addresses.  Variables work for rules
but for preprocessors try using the actual IPs instead.

Alex Tatistcheff
alext at ...492...

The most terrifying words in the English language are, "I'm from the
government and I'm here to help." -Ronald Reagan




On Fri, Mar 12, 2010 at 7:21 PM, Lee Clemens <snort at ...13080...> wrote:

> Hello,
>
> I am using Snort 2.5.8.3 on Linux kernel 2.6.x.
>
> My snort.conf contains (was running on 2.8.4.1):
>
> var LINUX_SERVERS [192.168.1.2,192.168.1.3]
>
> preprocessor frag3_global: max_frags 65536, \
>   prealloc_frags 65536, \
>   memcap 524288
> preprocessor frag3_engine: policy linux \
>        bind_to $LINUX_SERVERS \
>        detect_anomalies
>
> However, starting snort fails each time on the frag3_engine line.
>
> I have tried using slash-notation for each IP, and using ipvar instead of
> var.
> Each time I get the error: Unable to process the IP address: LINUX_SERVERS.
>
> If I wrap use $(LINUX_SERVERS) or [$LINUX_SERVERS], etc, I receive the same
> error but with or without brackets.
>
> Using var and $(LINUX_SERVERS:?linux not defined), I receive the error
> "linux not defined".
>
> Any help would be greatly appreciated.
>
> -Lee
>
>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100313/19c7dd60/attachment.html>


More information about the Snort-users mailing list