[Snort-users] var or ipvar?

Todd Wease twease at ...1935...
Mon Jan 28 17:44:48 EST 2013


If "var" defines an IP or IP list (IPv4 or IPv6), it is stored in the same
structure as if you had used "ipvar", i.e.

var HOME_NET 192.168.0.0/24

is equivalent to

ipvar HOME_NET 192.168.0.0/24

On Mon, Jan 28, 2013 at 4:58 PM, waldo kitty <wkitty42 at ...14940...>wrote:

> On 1/28/2013 15:39, Y M wrote:
> >  From Snort 2.9.4 release notes:
> >
> > "Consolidation of IPv6 -- now only a single build supports both IPv4 &
> IPv6, and
> > removal of the IPv4 "only" code paths."
> >
> > Does this mean that ipvar should support both IPv4 and IPv6 and var is
> > deprecated/ no longer needed? Or am I totally off topic here?
>
> this is exactly what i'm talking about...
>
> > In previous installations of Snort, we had ipvar and var both at the
> same config
> > file and we did not see any problems, however, we didn't have IPv6
> enabled at
> > that point of time.
>
> and especially this where both were used at one time... we didn't have to
> worry
> then because we didn't have a working IPv6 in our package... but now we
> have
> people taking it onto themselves to forcibly upgrade snort because they
> can't
> get any new rules and they are under the mistaken idea that they /have to
> have/
> new rules all the time... like the old ones are going to go stale and
> stink up
> the place or something... so they go thru everything to get a working
> binary in
> our development package and install it only to find it falling over or not
> logging anything and it is starting to look like it is coming down to the
> use of
> var and/or ipvar in some cases...
>
> > YM
> >
> --------------------------------------------------------------------------------
> > From: Joel Esler <mailto:jesler at ...1935...>
> > Sent: ‎1/‎28/‎2013 11:07 PM
> > To: Nicholas Bogart <mailto:nickybzoss at ...11827...>
> > Cc: snort-users at lists.sourceforge.net <mailto:
> snort-users at lists.sourceforge.net>
> > Subject: Re: [Snort-users] var or ipvar?
> >
> > Ipvar, for ips. Portvar for ports.
> >
> > --
> > Joel Esler
> > Sent from my iPad
> >
> > On Jan 28, 2013, at 3:01 PM, Nicholas Bogart <nickybzoss at ...11827...
> > <mailto:nickybzoss at ...11827...>> wrote:
> >
> >> Last I remember on this from the manual you only use ipvar if you are
> working
> >> in an IPv6 evironment and have enabled snort for IPv6. If you have it
> turned
> >> off then you can continue and are encouraged to still use var.
> >> Nick
> >>
> >> On Mon, Jan 28, 2013 at 1:56 PM, waldo kitty <wkitty42 at ...14940...
> >> <mailto:wkitty42 at ...14940...>> wrote:
> >>
> >>
> >>     var used to be used for most all var definitions... then work was
> being
> >>     done for
> >>     IPv6 and ipvar was created... since then, it seems that ipvar has
> been
> >>     retained
> >>     for all and var is simply no longer used...
> >>
> >>     is this accurate?
> >>
> >>     why is var not retained as an alias for ipvar? systems have been
> breaking all
> >>     around us and it is only just now that we're starting to find this
> possibly
> >>     being the problem :(
> >>
> >>     will it hurt to have both var and ipvar pointing to the same
> definitions??
> >>
> >>     will older snorts fall over because of ipvar being introduced into
> their
> >>     environment before they are ready for it?
>
>
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130128/db7c67b4/attachment.html>


More information about the Snort-users mailing list