[Snort-users] var or ipvar?

Todd Wease twease at ...1935...
Tue Jan 29 10:31:32 EST 2013


On Mon, Jan 28, 2013 at 9:38 PM, waldo kitty <wkitty42 at ...14940...> wrote:
>
> On 1/28/2013 17:44, Todd Wease wrote:
> > If "var" defines an IP or IP list (IPv4 or IPv6), it is stored in the same
> > structure as if you had used "ipvar", i.e.
> >
> > var HOME_NET 192.168.0.0/24
> >
> > is equivalent to
> >
> > ipvar HOME_NET 192.168.0.0/24
>
> so you are saying that "var" is equivalent to "ipvar"?

When the "var" is an IP or IP list.

>
> up to what version of snort?

Since 2.9.1 with defaults to configure and at least 2.8.6 if
configured with --enable-ipv6.

>
> > On Mon, Jan 28, 2013 at 4:58 PM, waldo kitty <wkitty42 at ...14940...
> > <mailto:wkitty42 at ...14940...>> wrote:
> >
> >     On 1/28/2013 15:39, Y M wrote:
> >      >  From Snort 2.9.4 release notes:
> >      >
> >      > "Consolidation of IPv6 -- now only a single build supports both IPv4 &
> >     IPv6, and
> >      > removal of the IPv4 "only" code paths."
> >      >
> >      > Does this mean that ipvar should support both IPv4 and IPv6 and var is
> >      > deprecated/ no longer needed? Or am I totally off topic here?
> >
> >     this is exactly what i'm talking about...
> >
> >      > In previous installations of Snort, we had ipvar and var both at the same
> >     config
> >      > file and we did not see any problems, however, we didn't have IPv6 enabled at
> >      > that point of time.
> >
> >     and especially this where both were used at one time... we didn't have to worry
> >     then because we didn't have a working IPv6 in our package... but now we have
> >     people taking it onto themselves to forcibly upgrade snort because they can't
> >     get any new rules and they are under the mistaken idea that they /have to have/
> >     new rules all the time... like the old ones are going to go stale and stink up
> >     the place or something... so they go thru everything to get a working binary in
> >     our development package and install it only to find it falling over or not
> >     logging anything and it is starting to look like it is coming down to the use of
> >     var and/or ipvar in some cases...
> >
> >      > YM
> >      >
> >     --------------------------------------------------------------------------------
> >      > From: Joel Esler <mailto:jesler at ...1935...
> >     <mailto:jesler at ...1935...>>
> >      > Sent: ‎1/‎28/‎2013 11:07 PM
> >      > To: Nicholas Bogart <mailto:nickybzoss at ...11827...
> >     <mailto:nickybzoss at ...11827...>>
> >      > Cc: snort-users at lists.sourceforge.net
> >     <mailto:snort-users at lists.sourceforge.net>
> >     <mailto:snort-users at lists.sourceforge.net
> >     <mailto:snort-users at lists.sourceforge.net>>
> >      > Subject: Re: [Snort-users] var or ipvar?
> >      >
> >      > Ipvar, for ips. Portvar for ports.
> >      >
> >      > --
> >      > Joel Esler
> >      > Sent from my iPad
> >      >
> >      > On Jan 28, 2013, at 3:01 PM, Nicholas Bogart <nickybzoss at ...13610...7...
> >     <mailto:nickybzoss at ...11827...>
> >      > <mailto:nickybzoss at ...11827... <mailto:nickybzoss at ...11827...>>> wrote:
> >      >
> >      >> Last I remember on this from the manual you only use ipvar if you are
> >     working
> >      >> in an IPv6 evironment and have enabled snort for IPv6. If you have it turned
> >      >> off then you can continue and are encouraged to still use var.
> >      >> Nick
> >      >>
> >      >> On Mon, Jan 28, 2013 at 1:56 PM, waldo kitty <wkitty42 at ...14945......
> >     <mailto:wkitty42 at ...14940...>
> >      >> <mailto:wkitty42 at ...14940... <mailto:wkitty42 at ...14940...>>> wrote:
> >      >>
> >      >>
> >      >>     var used to be used for most all var definitions... then work was being
> >      >>     done for
> >      >>     IPv6 and ipvar was created... since then, it seems that ipvar has been
> >      >>     retained
> >      >>     for all and var is simply no longer used...
> >      >>
> >      >>     is this accurate?
> >      >>
> >      >>     why is var not retained as an alias for ipvar? systems have been
> >     breaking all
> >      >>     around us and it is only just now that we're starting to find this
> >     possibly
> >      >>     being the problem :(
> >      >>
> >      >>     will it hurt to have both var and ipvar pointing to the same
> >     definitions??
> >      >>
> >      >>     will older snorts fall over because of ipvar being introduced into their
> >      >>     environment before they are ready for it?
>
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list