[Snort-users] var or ipvar?

waldo kitty wkitty42 at ...14940...
Mon Jan 28 21:38:52 EST 2013


On 1/28/2013 17:44, Todd Wease wrote:
> If "var" defines an IP or IP list (IPv4 or IPv6), it is stored in the same
> structure as if you had used "ipvar", i.e.
>
> var HOME_NET 192.168.0.0/24 <http://192.168.0.0/24>
>
> is equivalent to
>
> ipvar HOME_NET 192.168.0.0/24 <http://192.168.0.0/24>

so you are saying that "var" is equivalent to "ipvar"?

up to what version of snort?

> On Mon, Jan 28, 2013 at 4:58 PM, waldo kitty <wkitty42 at ...14940...
> <mailto:wkitty42 at ...14940...>> wrote:
>
>     On 1/28/2013 15:39, Y M wrote:
>      >  From Snort 2.9.4 release notes:
>      >
>      > "Consolidation of IPv6 -- now only a single build supports both IPv4 &
>     IPv6, and
>      > removal of the IPv4 "only" code paths."
>      >
>      > Does this mean that ipvar should support both IPv4 and IPv6 and var is
>      > deprecated/ no longer needed? Or am I totally off topic here?
>
>     this is exactly what i'm talking about...
>
>      > In previous installations of Snort, we had ipvar and var both at the same
>     config
>      > file and we did not see any problems, however, we didn't have IPv6 enabled at
>      > that point of time.
>
>     and especially this where both were used at one time... we didn't have to worry
>     then because we didn't have a working IPv6 in our package... but now we have
>     people taking it onto themselves to forcibly upgrade snort because they can't
>     get any new rules and they are under the mistaken idea that they /have to have/
>     new rules all the time... like the old ones are going to go stale and stink up
>     the place or something... so they go thru everything to get a working binary in
>     our development package and install it only to find it falling over or not
>     logging anything and it is starting to look like it is coming down to the use of
>     var and/or ipvar in some cases...
>
>      > YM
>      >
>     --------------------------------------------------------------------------------
>      > From: Joel Esler <mailto:jesler at ...1935...
>     <mailto:jesler at ...1935...>>
>      > Sent: ‎1/‎28/‎2013 11:07 PM
>      > To: Nicholas Bogart <mailto:nickybzoss at ...11827...
>     <mailto:nickybzoss at ...11827...>>
>      > Cc: snort-users at lists.sourceforge.net
>     <mailto:snort-users at lists.sourceforge.net>
>     <mailto:snort-users at lists.sourceforge.net
>     <mailto:snort-users at lists.sourceforge.net>>
>      > Subject: Re: [Snort-users] var or ipvar?
>      >
>      > Ipvar, for ips. Portvar for ports.
>      >
>      > --
>      > Joel Esler
>      > Sent from my iPad
>      >
>      > On Jan 28, 2013, at 3:01 PM, Nicholas Bogart <nickybzoss at ...11827...
>     <mailto:nickybzoss at ...11827...>
>      > <mailto:nickybzoss at ...11827... <mailto:nickybzoss at ...11827...>>> wrote:
>      >
>      >> Last I remember on this from the manual you only use ipvar if you are
>     working
>      >> in an IPv6 evironment and have enabled snort for IPv6. If you have it turned
>      >> off then you can continue and are encouraged to still use var.
>      >> Nick
>      >>
>      >> On Mon, Jan 28, 2013 at 1:56 PM, waldo kitty <wkitty42 at ...14940...
>     <mailto:wkitty42 at ...14940...>
>      >> <mailto:wkitty42 at ...14940... <mailto:wkitty42 at ...14940...>>> wrote:
>      >>
>      >>
>      >>     var used to be used for most all var definitions... then work was being
>      >>     done for
>      >>     IPv6 and ipvar was created... since then, it seems that ipvar has been
>      >>     retained
>      >>     for all and var is simply no longer used...
>      >>
>      >>     is this accurate?
>      >>
>      >>     why is var not retained as an alias for ipvar? systems have been
>     breaking all
>      >>     around us and it is only just now that we're starting to find this
>     possibly
>      >>     being the problem :(
>      >>
>      >>     will it hurt to have both var and ipvar pointing to the same
>     definitions??
>      >>
>      >>     will older snorts fall over because of ipvar being introduced into their
>      >>     environment before they are ready for it?






More information about the Snort-users mailing list