[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

waldo kitty wkitty42 at ...14940...
Mon Aug 15 22:20:46 EDT 2011

On 8/15/2011 21:32, alexus wrote:
> Anything specific ?
> On Aug 15, 2011 8:59 PM, "Joel Esler" <jesler at ...1935...
> <mailto:jesler at ...1935...>> wrote:
>  > Sounds like you may need to take a look at our recommended compile options at
> the top of the snort.conf in the etc/ directory.

i believe that joel is referencing the ipv6 compile option which enables ipv6 in 
snort... if you do not use ipv6, it should not be necessary to include support 
for it, IMHO...

however, one must also note that many are "running scared" of the ipv4 address 
depletion stuff and they are not realizing that the ip allocation folk still 
have several hundred thousand or more of ipv4 addresses available for 
assignment... just because the top dawgs (dogs for those without a southern US 
accent) don't have any more to allocate to the top level assigners is not really 
a reason to panic as has been seen in recent months... especially when one 
understands that RFC1918 addresses can/should be used on internal networks and 
only external facing machines really need WAN addresses that all can access...

i'm aware of several large corporations with (ancient nomenclature) class b and 
class c address blocks that are assigned to their internal lan machines which 
could easily be using RFC1918 addresses instead and that would, amongst other 
things, save them some $$$ on the cost of their address blocks ;)

More information about the Snort-users mailing list