[Snort-users] What is the difference in using IPVAR and VAR ?
mikelococo at ...11827...
Thu Aug 18 11:08:25 EDT 2011
On 08/17/2011 10:57 PM, Michael Steele wrote:
> If I have ipv6 and ipv4 activated would I use ipvar and not var in the
> snort.conf?- Snort would be IPV6 compiled
> If I only have ipv4 activated, would I use var in the snort.conf, or does
> it matter if I use ipvar? - Snort would not be IPV6 compiled
ipvar is a newer data-type that supports both IPv4 and IPv6 addresses.
As long as snort is compiled with IPv6 support, ipvar is safe to use
regardless of whether your site is primarily seeing v4 or v6 traffic
(it's worth noting that you almost certainly have a tiny bit of v6
traffic at your site even if you don't think you do). However, if snort
isn't compiled with v6 support, it will crash on startup due to not
recognizing the ipvar keyword.
I'm not aware of any other issues or performance differences, I think
ipvar is designed to completely replace var and we're in the transition
period where both are supported.
If you do activate IPv6, remember that the db schema doesn't support v6
events, so barnyard will just throw them away if you're using db output.
You'll have to review v6 events via output to text files or syslog or
More information about the Snort-users