[Snort-users] frag3 bind_to and ipvar not working

Joel Esler jesler at ...1935...
Sat Mar 13 12:52:06 EST 2010


Did it work?  Or did it simply not throw am error?

--
Joel Esler
Sent from my iPhone

On Mar 13, 2010, at 11:02 AM, "Lee Clemens" <snort at ...13080...>  
wrote:

> Hi Alex,
>
> It was working this way in 2.8.4.1. I found it very useful since  
> frag3 linux
> policy and stream5 linux policy tend to use the same IPs, SSL rules  
> use the
> same ports as the ssl preprocessor to look for ssl traffic, etc.
>
> -Lee
>
> -----Original Message-----
> From: Alex Tatistcheff [mailto:alex.tatistcheff at ...11827...]
> Sent: Saturday, March 13, 2010 4:52 AM
>
>
> Lee,
>
> Unless something has radically changed lately you can't use  
> variables in
> preprocessors to define ports and IP addresses.  Variables work for  
> rules
> but for preprocessors try using the actual IPs instead.
>
> Alex Tatistcheff
> alext at ...492...
>
> The most terrifying words in the English language are, "I'm from the
> government and I'm here to help." -Ronald Reagan
>
>
>
>
>
> On Fri, Mar 12, 2010 at 7:21 PM, Lee Clemens <snort at ...13080...>  
> wrote:
>
>
>    Hello,
>
>    I am using Snort 2.5.8.3 on Linux kernel 2.6.x.
>
>    My snort.conf contains (was running on 2.8.4.1):
>
>    var LINUX_SERVERS [192.168.1.2,192.168.1.3]
>
>    preprocessor frag3_global: max_frags 65536, \
>      prealloc_frags 65536, \
>      memcap 524288
>    preprocessor frag3_engine: policy linux \
>           bind_to $LINUX_SERVERS \
>           detect_anomalies
>
>    However, starting snort fails each time on the frag3_engine line.
>
>    I have tried using slash-notation for each IP, and using ipvar
> instead of
>    var.
>    Each time I get the error: Unable to process the IP address:
> LINUX_SERVERS.
>
>    If I wrap use $(LINUX_SERVERS) or [$LINUX_SERVERS], etc, I receive
> the same
>    error but with or without brackets.
>
>    Using var and $(LINUX_SERVERS:?linux not defined), I receive the
> error
>    "linux not defined".
>
>    Any help would be greatly appreciated.
>
>    -Lee
>
>
>
>
> --- 
> --- 
> ----------------------------------------------------------------------
> --
>    Download Intel® Parallel Studio Eval
>    Try the new software tools for yourself. Speed compiling, find bugs
>    proactively, and fine-tune applications for parallel performance.
>    See why Intel Parallel Studio got high marks during beta.
>    http://p.sf.net/sfu/intel-sw-dev
>    _______________________________________________
>    Snort-users mailing list
>    Snort-users at lists.sourceforge.net
>    Go to this URL to change user options or unsubscribe:
>    https://lists.sourceforge.net/lists/listinfo/snort-users
>    Snort-users
> <https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users 
> >
> list archive:
>    http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list