[Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0?

Starner, Mark mark.starner at ...5850...
Tue Feb 17 12:54:29 EST 2015


Ok.. I get that…. So I come back to my original question.

 

How do I get $ethX_ADDRESS variables assigned if –enable-sourcefire is configured and I am not running snort as root? I thought running as root was a bad idea?

 

Here is the section of code from parser.c

 

#ifndef SOURCEFIRE

    /* If snort is not run with root privileges, no interfaces will be defined,

     * so user beware if an iface_ADDRESS variable is used in snort.conf and

     * snort is not run as root (even if just in read mode) */

    DefineAllIfaceVars(sc);

#endif

 

Is there another way to enable that?

 

Curious what the thinking is here?

 

Thanks

Mark

 

 

From: Joel Esler (jesler) [mailto:jesler at ...589...] 
Sent: Tuesday, February 17, 2015 12:21 PM
To: Starner, Mark
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0?

 

Unfortunately that disables everything that we test against with the ruleset.  I suggest you not do that. 

 

 

On Feb 17, 2015, at 12:03 PM, Starner, Mark <mark.starner at ...5850... <mailto:mark.starner at ...5850...> > wrote:

 

I retract my question. I configured “—enable-sourcefire” for the first time and found the comment in parser.c that said the $IF_ADDRESS variables are not defined if Sourcefire is enabled and snort is not running as root. So I recompiled without “—enable-sourcefire” and all is well.

 

Maybe this will help anyone else who comes across this.

 

Mark

 

 

From: Starner, Mark [mailto:mark.starner at ...5850...] 
Sent: Tuesday, February 17, 2015 11:33 AM
To: snort-users at lists.sourceforge.net <mailto:snort-users at ...5870....net> 
Subject: [Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0?

 

I use $eth1_ADDRESS in one of my local rules, and when snort 2.9.7.0 starts, it says:

ERROR: rules/local.rules(8) Undefined variable in the string: $eth1_ADDRESS.

 

I think I encountered this with a previous upgrade, but I don’t recall how I resolved it.

 

So

1)      Is this still valid with 2.9.7.0?

2)      If Yes, then what would cause this NOT to be defined (yes, I verified I have an eth1 and it has an IP address defined.

 

Thanks

Mark

 

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631 <http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________> &iu=/4140/ostg.clktrk_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net <mailto:Snort-users at lists.sourceforge.net> 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150217/a2d3f773/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 9426 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150217/a2d3f773/attachment.bin>


More information about the Snort-users mailing list