[Snort-users] var or ipvar?

waldo kitty wkitty42 at ...14940...
Mon Jan 28 16:58:28 EST 2013

On 1/28/2013 15:39, Y M wrote:
>  From Snort 2.9.4 release notes:
> "Consolidation of IPv6 -- now only a single build supports both IPv4 & IPv6, and
> removal of the IPv4 "only" code paths."
> Does this mean that ipvar should support both IPv4 and IPv6 and var is
> deprecated/ no longer needed? Or am I totally off topic here?

this is exactly what i'm talking about...

> In previous installations of Snort, we had ipvar and var both at the same config
> file and we did not see any problems, however, we didn't have IPv6 enabled at
> that point of time.

and especially this where both were used at one time... we didn't have to worry 
then because we didn't have a working IPv6 in our package... but now we have 
people taking it onto themselves to forcibly upgrade snort because they can't 
get any new rules and they are under the mistaken idea that they /have to have/ 
new rules all the time... like the old ones are going to go stale and stink up 
the place or something... so they go thru everything to get a working binary in 
our development package and install it only to find it falling over or not 
logging anything and it is starting to look like it is coming down to the use of 
var and/or ipvar in some cases...

> YM
> --------------------------------------------------------------------------------
> From: Joel Esler <mailto:jesler at ...1935...>
> Sent: ‎1/‎28/‎2013 11:07 PM
> To: Nicholas Bogart <mailto:nickybzoss at ...11827...>
> Cc: snort-users at lists.sourceforge.net <mailto:snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] var or ipvar?
> Ipvar, for ips. Portvar for ports.
> --
> Joel Esler
> Sent from my iPad
> On Jan 28, 2013, at 3:01 PM, Nicholas Bogart <nickybzoss at ...11827...
> <mailto:nickybzoss at ...11827...>> wrote:
>> Last I remember on this from the manual you only use ipvar if you are working
>> in an IPv6 evironment and have enabled snort for IPv6. If you have it turned
>> off then you can continue and are encouraged to still use var.
>> Nick
>> On Mon, Jan 28, 2013 at 1:56 PM, waldo kitty <wkitty42 at ...14940...
>> <mailto:wkitty42 at ...14940...>> wrote:
>>     var used to be used for most all var definitions... then work was being
>>     done for
>>     IPv6 and ipvar was created... since then, it seems that ipvar has been
>>     retained
>>     for all and var is simply no longer used...
>>     is this accurate?
>>     why is var not retained as an alias for ipvar? systems have been breaking all
>>     around us and it is only just now that we're starting to find this possibly
>>     being the problem :(
>>     will it hurt to have both var and ipvar pointing to the same definitions??
>>     will older snorts fall over because of ipvar being introduced into their
>>     environment before they are ready for it?

More information about the Snort-users mailing list