[Snort-users] frag3 bind_to and ipvar not working

Lee Clemens snort at ...13080...
Sat Mar 13 11:02:15 EST 2010

Hi Alex,

It was working this way in I found it very useful since frag3 linux
policy and stream5 linux policy tend to use the same IPs, SSL rules use the
same ports as the ssl preprocessor to look for ssl traffic, etc.


-----Original Message-----
From: Alex Tatistcheff [mailto:alex.tatistcheff at ...11827...] 
Sent: Saturday, March 13, 2010 4:52 AM


Unless something has radically changed lately you can't use variables in
preprocessors to define ports and IP addresses.  Variables work for rules
but for preprocessors try using the actual IPs instead.

Alex Tatistcheff
alext at ...492...

The most terrifying words in the English language are, "I'm from the
government and I'm here to help." -Ronald Reagan

On Fri, Mar 12, 2010 at 7:21 PM, Lee Clemens <snort at ...13080...> wrote:

	I am using Snort on Linux kernel 2.6.x.
	My snort.conf contains (was running on
	preprocessor frag3_global: max_frags 65536, \
	  prealloc_frags 65536, \
	  memcap 524288
	preprocessor frag3_engine: policy linux \
	       bind_to $LINUX_SERVERS \
	However, starting snort fails each time on the frag3_engine line.
	I have tried using slash-notation for each IP, and using ipvar
instead of
	Each time I get the error: Unable to process the IP address:
	If I wrap use $(LINUX_SERVERS) or [$LINUX_SERVERS], etc, I receive
the same
	error but with or without brackets.
	Using var and $(LINUX_SERVERS:?linux not defined), I receive the
	"linux not defined".
	Any help would be greatly appreciated.
	Download Intel® Parallel Studio Eval
	Try the new software tools for yourself. Speed compiling, find bugs
	proactively, and fine-tune applications for parallel performance.
	See why Intel Parallel Studio got high marks during beta.
	Snort-users mailing list
	Snort-users at lists.sourceforge.net
	Go to this URL to change user options or unsubscribe:
list archive:

More information about the Snort-users mailing list