[Snort-users] What is the difference in using IPVAR and VAR ?
mikelococo at ...11827...
Thu Aug 18 18:14:06 EDT 2011
On 08/18/2011 05:38 PM, Michael Steele wrote:
> If I have ipv6 and ipv4 enabled, then I would need to compile Snort with
> ipv6 and use ipvar?
> If I have ipv4 installed I could still use ipvar as long as I have Snort
> compiled for ipv6, even though ipv6 was not installed on the box?
Probably, I haven't tested this.
> It's a little confusing because if I use:
> ipvar RULE_PATH d:\winids\snort\rules
This shows a deep confusion about all snort variable types, not just the
var/ipvar transition. RULE_PATH doesn't actually contain an ip address,
it contains the string "d:\winids\snort\rules" so you cannot not use an
ipvar here under any circumstances.
Summarizing section 2.1.2 of the snort manual, Snort config files
support more than one type of variable:
- ipvar: Can only be used to represent ip-addresses or lists/ranges
- portvar: Can only be used to represent port-numbers or lists/ranges
- var: An ambiguous keyword that depending on context can be used
to represent ip-addrs (or lists/ranges of ip-addrs),
port-numbers (or lists/ranges of port-numbers), or it can be
used to represent a simple text-string.
In older versions of Snort, every type of variable was declared with the
"var" keyword. New keywords "ipvar" and "portvar" were introduced at
some point to address those commonly used types. "var" is now needed
only for declaring string-type variables, but it is still possible (for
now) to use "var" to declare variables containing ports or ip-addrs.
This ability is provided for primarily for backwards compatibility with
old config-files that still use var to declare everything.
What you should do is:
- If you can get ipv6 support compiled in, use the right keyword for
each variable type.
- If you can't get ipv6 support compiled in, use the var keyword for
strings and ip-addrs, and use the portvar keyword for port-numbers.
> I get an error and have to go back to:
> var RULE_PATH d:\winids\snort\rules
"var" is always the correct way to declare string-type variables like
More information about the Snort-users