[Snort-users] $eth1_ADDRESS still a valid variable in

Starner, Mark mark.starner at ...5850...
Tue Feb 17 15:38:38 EST 2015

I am not defining the variable – in the past (and without –enable-sourcefire) Snort always defined the variable for me. And it still does if I don’t use the “—enable-sourcefire” config directive.


I’d prefer not to send my conf file in the clear to the mailing list.


I am just using that Snort defined variable in one of my rules to generate an alert for specific packets directed to the Management Interface of my Snort Sensor.


My questions at this point are:

1)      Is it safe to run Snort as root in order to get Snort to define the interface variables? (since that seems to be the only way to get those variables assigned if you –enable-sourcefire)????


2)      Why does “—enable-sourcefire” disable the creation/assignment of the interface variables? Is there a risk using those variables in rules?



From: Al Lewis (allewi) [mailto:allewi at ...589...] 
Sent: Tuesday, February 17, 2015 3:33 PM
To: Starner, Mark; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] $eth1_ADDRESS still a valid variable in


Can you send us the conf file you are using? Or how you are defining the variables?





Albert Lewis

QA Software Engineer

SOURCEfire, Inc. now part of Cisco

9780 Patuxent Woods Drive
Columbia, MD 21046 

Phone: (office) 443.430.7112

Email: allewi at ...589... <mailto:allewi at ...589...>  


From: Starner, Mark [mailto:mark.starner at ...5850...] 
Sent: Tuesday, February 17, 2015 12:54 PM
To: snort-users at lists.sourceforge.net <mailto:snort-users at ...5870....net> 
Subject: Re: [Snort-users] $eth1_ADDRESS still a valid variable in


Ok.. I get that…. So I come back to my original question.


How do I get $ethX_ADDRESS variables assigned if –enable-sourcefire is configured and I am not running snort as root? I thought running as root was a bad idea?


Here is the section of code from parser.c



    /* If snort is not run with root privileges, no interfaces will be defined,

     * so user beware if an iface_ADDRESS variable is used in snort.conf and

     * snort is not run as root (even if just in read mode) */




Is there another way to enable that?


Curious what the thinking is here?






From: Joel Esler (jesler) [mailto:jesler at ...589...] 
Sent: Tuesday, February 17, 2015 12:21 PM
To: Starner, Mark
Cc: snort-users at lists.sourceforge.net <mailto:snort-users at ...5870....net> 
Subject: Re: [Snort-users] $eth1_ADDRESS still a valid variable in


Unfortunately that disables everything that we test against with the ruleset.  I suggest you not do that. 



On Feb 17, 2015, at 12:03 PM, Starner, Mark <mark.starner at ...5850... <mailto:mark.starner at ...5850...> > wrote:


I retract my question. I configured “—enable-sourcefire” for the first time and found the comment in parser.c that said the $IF_ADDRESS variables are not defined if Sourcefire is enabled and snort is not running as root. So I recompiled without “—enable-sourcefire” and all is well.


Maybe this will help anyone else who comes across this.





From: Starner, Mark [mailto:mark.starner at ...5850...] 
Sent: Tuesday, February 17, 2015 11:33 AM
To: snort-users at lists.sourceforge.net <mailto:snort-users at ...5870....net> 
Subject: [Snort-users] $eth1_ADDRESS still a valid variable in


I use $eth1_ADDRESS in one of my local rules, and when snort starts, it says:

ERROR: rules/local.rules(8) Undefined variable in the string: $eth1_ADDRESS.


I think I encountered this with a previous upgrade, but I don’t recall how I resolved it.



1)      Is this still valid with

2)      If Yes, then what would cause this NOT to be defined (yes, I verified I have an eth1 and it has an IP address defined.





Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631 <http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________> &iu=/4140/ostg.clktrk_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net <mailto:Snort-users at lists.sourceforge.net> 
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150217/ce60aed5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 9426 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150217/ce60aed5/attachment.bin>

More information about the Snort-users mailing list