[Snort-users] $eth1_ADDRESS still a valid variable in

Starner, Mark mark.starner at ...5850...
Tue Feb 17 12:54:29 EST 2015

Ok.. I get that…. So I come back to my original question.


How do I get $ethX_ADDRESS variables assigned if –enable-sourcefire is configured and I am not running snort as root? I thought running as root was a bad idea?


Here is the section of code from parser.c



    /* If snort is not run with root privileges, no interfaces will be defined,

     * so user beware if an iface_ADDRESS variable is used in snort.conf and

     * snort is not run as root (even if just in read mode) */




Is there another way to enable that?


Curious what the thinking is here?






From: Joel Esler (jesler) [mailto:jesler at ...589...] 
Sent: Tuesday, February 17, 2015 12:21 PM
To: Starner, Mark
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] $eth1_ADDRESS still a valid variable in


Unfortunately that disables everything that we test against with the ruleset.  I suggest you not do that. 



On Feb 17, 2015, at 12:03 PM, Starner, Mark <mark.starner at ...5850... <mailto:mark.starner at ...5850...> > wrote:


I retract my question. I configured “—enable-sourcefire” for the first time and found the comment in parser.c that said the $IF_ADDRESS variables are not defined if Sourcefire is enabled and snort is not running as root. So I recompiled without “—enable-sourcefire” and all is well.


Maybe this will help anyone else who comes across this.





From: Starner, Mark [mailto:mark.starner at ...5850...] 
Sent: Tuesday, February 17, 2015 11:33 AM
To: snort-users at lists.sourceforge.net <mailto:snort-users at ...5870....net> 
Subject: [Snort-users] $eth1_ADDRESS still a valid variable in


I use $eth1_ADDRESS in one of my local rules, and when snort starts, it says:

ERROR: rules/local.rules(8) Undefined variable in the string: $eth1_ADDRESS.


I think I encountered this with a previous upgrade, but I don’t recall how I resolved it.



1)      Is this still valid with

2)      If Yes, then what would cause this NOT to be defined (yes, I verified I have an eth1 and it has an IP address defined.





Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631 <http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________> &iu=/4140/ostg.clktrk_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net <mailto:Snort-users at lists.sourceforge.net> 
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150217/a2d3f773/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 9426 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150217/a2d3f773/attachment.bin>

More information about the Snort-users mailing list