[Snort-users] What is the difference in using IPVAR and VAR ?

Mike Lococo mikelococo at ...11827...
Thu Aug 18 18:14:06 EDT 2011


On 08/18/2011 05:38 PM, Michael Steele wrote:
> If I have ipv6 and ipv4  enabled, then I would need to compile Snort with
> ipv6 and use ipvar?

Yes.

> If I have ipv4 installed I could still use ipvar as long as I have Snort
> compiled for ipv6, even though ipv6 was not installed on the box?

Probably, I haven't tested this.

> It's a little confusing because if I use:
> ipvar RULE_PATH d:\winids\snort\rules

This shows a deep confusion about all snort variable types, not just the 
var/ipvar transition.  RULE_PATH doesn't actually contain an ip address, 
it contains the string "d:\winids\snort\rules" so you cannot not use an 
ipvar here under any circumstances.

Summarizing section 2.1.2 of the snort manual, Snort config files 
support more than one type of variable:

  - ipvar:   Can only be used to represent ip-addresses or lists/ranges
             of ip-addresses
  - portvar: Can only be used to represent port-numbers or lists/ranges
             or port-numbers.
  - var:     An ambiguous keyword that depending on context can be used
             to represent ip-addrs (or lists/ranges of ip-addrs),
             port-numbers (or lists/ranges of port-numbers), or it can be
             used to represent a simple text-string.

In older versions of Snort, every type of variable was declared with the 
"var" keyword.  New keywords "ipvar" and "portvar" were introduced at 
some point to address those commonly used types.  "var" is now needed 
only for declaring string-type variables, but it is still possible (for 
now) to use "var" to declare variables containing ports or ip-addrs. 
This ability is provided for primarily for backwards compatibility with 
old config-files that still use var to declare everything.

What you should do is:
   - If you can get ipv6 support compiled in, use the right keyword for
     each variable type.
   - If you can't get ipv6 support compiled in, use the var keyword for
     strings and ip-addrs, and use the portvar keyword for port-numbers.

> I get an error and have to go back to:
> var RULE_PATH d:\winids\snort\rules

"var" is always the correct way to declare string-type variables like 
RULE_PATH.

Cheers,
Mike Lococo




More information about the Snort-users mailing list