[Snort-users] var or ipvar?

waldo kitty wkitty42 at ...14940...
Mon Jan 28 21:28:21 EST 2013

On 1/28/2013 15:49, Joel Esler wrote:
> On Jan 28, 2013, at 3:36 PM, waldo kitty <wkitty42 at ...14940...
> <mailto:wkitty42 at ...14940...>> wrote:
>> On 1/28/2013 15:10, Joel Esler wrote:
>>> Ipvar, for ips. Portvar for ports.
>> i love bikini answers! short and to the point ;)
> Sorry, was on my iPad.

not a problem, really ;)

>> but in this case, i'm needing a bit more information, please...
>> ipvar was started being used for IPv6 at what version of snort?
> Um. I want to say 2.6.0?

maybe something after

>> ipvar was started being used for both IPv4 and IPv6 at what version of snort?
> You've always been able to use both. What you haven't been able to do is use var
> for ipv6 addresses. enabled ipv6 by default, and removed the
> separate code paths.


>> var was no longer for IPv4 used at what version of snort?
> It always has been. But we've eliminated the difference now.

as of ok...

>> and lastly this question from the previous post...
>> will older snorts fall over because of ipvar being introduced into their
>> environment before they are ready for it?
> If it's not compiled with --enable-ipv6, yes. But if you compiled ipv6 in, you
> should be good to go.

older versions (ie: 2.8.6.x) of snort didn't have --enable-ipv6 as i recall... 
so ok, any unknown keywords will elicit a fail when starting snort...

i'll have to check with those who are endeavoring to provide OOB (Out of Band) 
updates for our environment and see what specific options they are compiling 
their releases of snort with...

thank you and my apologies if some of my posts in this thread are a bit 
frustrated sounding... it is a really ugly situation and causing problems... 
moreso than just not being able to download the current set of rules 30 days old 
and such... that particular "catch 22" still seems like it should be a rolling 
30 days thing...

More information about the Snort-users mailing list