[Snort-users] frag3 bind_to and ipvar not working

Alex Tatistcheff alex.tatistcheff at ...11827...
Sun Mar 14 00:21:43 EST 2010


Never was possible that I know of.  You may have encountered one of those
rare instances where there was an error in the snort.conf but snort started
anyway.

Alex Tatistcheff
alext at ...492...

The most terrifying words in the English language are, "I'm from the
government and I'm here to help." -Ronald Reagan




On Sat, Mar 13, 2010 at 5:45 PM, Lee Clemens <snort at ...13080...> wrote:

> Changing to IPs works fine.
>
> Wish I could still use var's though, is it no longer possible?
>
> -----Original Message-----
> From: Joel Esler [mailto:jesler at ...1935...]
> Sent: Saturday, March 13, 2010 12:52 PM
>
>
> Did it work?  Or did it simply not throw am error?
>
> --
> Joel Esler
> Sent from my iPhone
>
> On Mar 13, 2010, at 11:02 AM, "Lee Clemens" <snort at ...13080...>
> wrote:
>
> > Hi Alex,
> >
> > It was working this way in 2.8.4.1. I found it very useful since
> > frag3 linux
> > policy and stream5 linux policy tend to use the same IPs, SSL rules
> > use the
> > same ports as the ssl preprocessor to look for ssl traffic, etc.
> >
> > -Lee
> >
> > -----Original Message-----
> > From: Alex Tatistcheff [mailto:alex.tatistcheff at ...11827...]
> > Sent: Saturday, March 13, 2010 4:52 AM
> >
> >
> > Lee,
> >
> > Unless something has radically changed lately you can't use
> > variables in
> > preprocessors to define ports and IP addresses.  Variables work for
> > rules
> > but for preprocessors try using the actual IPs instead.
> >
> > Alex Tatistcheff
> > alext at ...492...
> >
> > The most terrifying words in the English language are, "I'm from the
> > government and I'm here to help." -Ronald Reagan
> >
> >
> >
> >
> >
> > On Fri, Mar 12, 2010 at 7:21 PM, Lee Clemens <snort at ...13080...>
> > wrote:
> >
> >
> >    Hello,
> >
> >    I am using Snort 2.5.8.3 on Linux kernel 2.6.x.
> >
> >    My snort.conf contains (was running on 2.8.4.1):
> >
> >    var LINUX_SERVERS [192.168.1.2,192.168.1.3]
> >
> >    preprocessor frag3_global: max_frags 65536, \
> >      prealloc_frags 65536, \
> >      memcap 524288
> >    preprocessor frag3_engine: policy linux \
> >           bind_to $LINUX_SERVERS \
> >           detect_anomalies
> >
> >    However, starting snort fails each time on the frag3_engine line.
> >
> >    I have tried using slash-notation for each IP, and using ipvar
> > instead of
> >    var.
> >    Each time I get the error: Unable to process the IP address:
> > LINUX_SERVERS.
> >
> >    If I wrap use $(LINUX_SERVERS) or [$LINUX_SERVERS], etc, I receive
> > the same
> >    error but with or without brackets.
> >
> >    Using var and $(LINUX_SERVERS:?linux not defined), I receive the
> > error
> >    "linux not defined".
> >
> >    Any help would be greatly appreciated.
> >
> >    -Lee
> >
> >
> >
> >
> > ---
> > ---
> > ----------------------------------------------------------------------
> > --
> >    Download Intel® Parallel Studio Eval
> >    Try the new software tools for yourself. Speed compiling, find bugs
> >    proactively, and fine-tune applications for parallel performance.
> >    See why Intel Parallel Studio got high marks during beta.
> >    http://p.sf.net/sfu/intel-sw-dev
> >    _______________________________________________
> >    Snort-users mailing list
> >    Snort-users at lists.sourceforge.net
> >    Go to this URL to change user options or unsubscribe:
> >    https://lists.sourceforge.net/lists/listinfo/snort-users
> >    Snort-users
> > <https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users
> > >
> > list archive:
> >    http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> >
> >
> >
> > ---
> > ---
> > ---
> > ---------------------------------------------------------------------
> > Download Intel® Parallel Studio Eval
> > Try the new software tools for yourself. Speed compiling, find bugs
> > proactively, and fine-tune applications for parallel performance.
> > See why Intel Parallel Studio got high marks during beta.
> > http://p.sf.net/sfu/intel-sw-dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100313/98167cd8/attachment.html>


More information about the Snort-users mailing list