[Snort-users] What is the difference in using IPVAR and VAR ?

Mike Lococo mikelococo at ...11827...
Thu Aug 18 11:08:25 EDT 2011


On 08/17/2011 10:57 PM, Michael Steele wrote:
> If I have ipv6 and ipv4 activated would I use ipvar and not var in the
> snort.conf?- Snort would be IPV6 compiled
>
> If I only have ipv4 activated,  would I use var in the snort.conf, or does
> it matter if I use ipvar? - Snort would not be IPV6 compiled

ipvar is a newer data-type that supports both IPv4 and IPv6 addresses. 
As long as snort is compiled with IPv6 support, ipvar is safe to use 
regardless of whether your site is primarily seeing v4 or v6 traffic 
(it's worth noting that you almost certainly have a tiny bit of v6 
traffic at your site even if you don't think you do).  However, if snort 
isn't compiled with v6 support, it will crash on startup due to not 
recognizing the ipvar keyword.

I'm not aware of any other issues or performance differences, I think 
ipvar is designed to completely replace var and we're in the transition 
period where both are supported.

If you do activate IPv6, remember that the db schema doesn't support v6 
events, so barnyard will just throw them away if you're using db output. 
  You'll have to review v6 events via output to text files or syslog or 
something.

Cheers,
Mike Lococo




More information about the Snort-users mailing list