[Snort-users] What is the difference in using IPVAR and VAR ?

Michael Steele michaels at ...9077...
Thu Aug 18 16:00:46 EDT 2011


So if my OS is only ipv4 (Windows XP); as long as I have Snort compiled for
ipv6 I can use ipvar? 

Kindest regards,
Michael...

-----Original Message-----
From: Mike Lococo [mailto:mikelococo at ...11827...] 
Sent: Thursday, August 18, 2011 11:08 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] What is the difference in using IPVAR and VAR ?

On 08/17/2011 10:57 PM, Michael Steele wrote:
> If I have ipv6 and ipv4 activated would I use ipvar and not var in the
> snort.conf?- Snort would be IPV6 compiled
>
> If I only have ipv4 activated,  would I use var in the snort.conf, or 
> does it matter if I use ipvar? - Snort would not be IPV6 compiled

ipvar is a newer data-type that supports both IPv4 and IPv6 addresses. 
As long as snort is compiled with IPv6 support, ipvar is safe to use
regardless of whether your site is primarily seeing v4 or v6 traffic (it's
worth noting that you almost certainly have a tiny bit of v6 traffic at your
site even if you don't think you do).  However, if snort isn't compiled with
v6 support, it will crash on startup due to not recognizing the ipvar
keyword.

I'm not aware of any other issues or performance differences, I think ipvar
is designed to completely replace var and we're in the transition period
where both are supported.

If you do activate IPv6, remember that the db schema doesn't support v6
events, so barnyard will just throw them away if you're using db output. 
  You'll have to review v6 events via output to text files or syslog or
something.

Cheers,
Mike Lococo

----------------------------------------------------------------------------
--
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user
administration capabilities and model configuration. Take the hassle out of
deploying and managing Subversion and the tools developers use with it.
http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!






More information about the Snort-users mailing list