[Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0?

James Lay jlay at ...13475...
Tue Feb 17 15:51:58 EST 2015


 

On 2015-02-17 01:32 PM, Al Lewis (allewi) wrote: 

> Can you send us
the conf file you are using? Or how you are defining the variables? 
>

> Thanks! 
> 
> Albert Lewis 
> 
> QA Software Engineer 
> 
>
SOURCEFIRE, Inc. now part of CISCO 
> 
> 9780 Patuxent Woods Drive
>
Columbia, MD 21046 
> 
> Phone: (office) 443.430.7112 
> 
> Email:
allewi at ...589... 
> 
> FROM: Starner, Mark
[mailto:mark.starner at ...5850...] 
> SENT: Tuesday, February 17, 2015
12:54 PM
> TO: snort-users at lists.sourceforge.net
> SUBJECT: Re:
[Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0? 
> 
>
Ok.. I get that…. So I come back to my original question. 
> 
> How do I
get $ethX_ADDRESS variables assigned if -enable-sourcefire is configured
and I am not running snort as root? I thought running as root was a bad
idea? 
> 
> Here is the section of code from parser.c 
> 
> #ifndef
SOURCEFIRE 
> 
> /* If snort is not run with root privileges, no
interfaces will be defined, 
> 
> * so user beware if an iface_ADDRESS
variable is used in snort.conf and 
> 
> * snort is not run as root
(even if just in read mode) */ 
> 
> DefineAllIfaceVars(sc); 
> 
>
#endif 
> 
> Is there another way to enable that? 
> 
> Curious what the
thinking is here? 
> 
> Thanks 
> 
> Mark 
> 
> FROM: Joel Esler
(jesler) [mailto:jesler at ...589... [9]] 
> SENT: Tuesday, February 17,
2015 12:21 PM
> TO: Starner, Mark
> CC:
snort-users at lists.sourceforge.net [10]
> SUBJECT: Re: [Snort-users]
$eth1_ADDRESS still a valid variable in 2.9.7.0? 
> 
> Unfortunately
that disables everything that we test against with the ruleset. I
suggest you not do that. 
> 
>> On Feb 17, 2015, at 12:03 PM, Starner,
Mark <mark.starner at ...5850... [1]> wrote: 
>> 
>> I retract my question.
I configured "--enable-sourcefire" for the first time and found the
comment in parser.c that said the $IF_ADDRESS variables are not defined
if Sourcefire is enabled and snort is not running as root. So I
recompiled without "--enable-sourcefire" and all is well. 
>> 
>> Maybe
this will help anyone else who comes across this. 
>> 
>> Mark 
>> 
>>
FROM: Starner, Mark [mailto:mark.starner at ...5850... [2]] 
>> SENT:
Tuesday, February 17, 2015 11:33 AM
>> TO:
snort-users at lists.sourceforge.net [3]
>> SUBJECT: [Snort-users]
$eth1_ADDRESS still a valid variable in 2.9.7.0? 
>> 
>> I use
$eth1_ADDRESS in one of my local rules, and when snort 2.9.7.0 starts,
it says: 
>> 
>> ERROR: rules/local.rules(8) Undefined variable in the
string: $eth1_ADDRESS. 
>> 
>> I think I encountered this with a
previous upgrade, but I don't recall how I resolved it. 
>> 
>> So 
>>

>> 1) Is this still valid with 2.9.7.0? 
>> 
>> 2) If Yes, then what
would cause this NOT to be defined (yes, I verified I have an eth1 and
it has an IP address defined. 
>> 
>> Thanks 
>> 
>> Mark 
>> 
>>
------------------------------------------------------------------------------
>>
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>
from Actuate! Instantly Supercharge Your Business Reports and
Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App
Integration & more
>> Get technology previously reserved for
billion-dollar corporations, FREE
>>
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________
[4]
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
[5]
>> Go to this URL to change user options or unsubscribe:
>>
https://lists.sourceforge.net/lists/listinfo/snort-users [6]
>>
Snort-users list archive:
>>
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
[7]
>> 
>> Please visit http://blog.snort.org [8] to stay current on all
the latest Snort news!

Define it at the start of local.rules: 

ipvar
eth1_ADDRESS <ip.address> 

James 

Links:
------
[1]
mailto:mark.starner at ...5850...
[2] mailto:mark.starner at ...5850...
[3]
mailto:snort-users at lists.sourceforge.net
[4]
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________
[5]
mailto:Snort-users at lists.sourceforge.net
[6]
https://lists.sourceforge.net/lists/listinfo/snort-users
[7]
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
[8]
http://blog.snort.org
[9] mailto:jesler at ...589...
[10]
mailto:snort-users at lists.sourceforge.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150217/d44655a5/attachment.html>


More information about the Snort-users mailing list