[Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0?

Starner, Mark mark.starner at ...5850...
Tue Feb 17 16:06:27 EST 2015


I have > 50 snort sensors. So before I modify all of them to define this variable in my local.rules file I want to be sure that this is really the best fix to the issue. 

 

I really don’t want to go write code to define that variable on boot, insert it into the file only to find out tomorrow that “Oh, that was a bug, they should be defined automatically like they always were”.

 

So I just want to be sure that those variables are no longer defined in the *supported” configuration.

 

Is it documented anywhere exactly what “—enable-sourcefire” does? 

Does it enable a whole slew of other options?

 

Thanks

Mark

 

 

From: James Lay [mailto:jlay at ...13475...] 
Sent: Tuesday, February 17, 2015 3:52 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0?

 

On 2015-02-17 01:32 PM, Al Lewis (allewi) wrote:

Can you send us the conf file you are using? Or how you are defining the variables?

 

Thanks!

 

 

Albert Lewis

QA Software Engineer

SOURCEfire, Inc. now part of Cisco

9780 Patuxent Woods Drive
Columbia, MD 21046 

Phone: (office) 443.430.7112

Email: allewi at ...589... <mailto:allewi at ...589...>  

 

From: Starner, Mark [mailto:mark.starner at ...5850...] 
Sent: Tuesday, February 17, 2015 12:54 PM
To: snort-users at lists.sourceforge.net <mailto:snort-users at ...5870....net> 
Subject: Re: [Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0?

 

Ok.. I get that…. So I come back to my original question.

 

How do I get $ethX_ADDRESS variables assigned if –enable-sourcefire is configured and I am not running snort as root? I thought running as root was a bad idea?

 

Here is the section of code from parser.c

 

#ifndef SOURCEFIRE

    /* If snort is not run with root privileges, no interfaces will be defined,

     * so user beware if an iface_ADDRESS variable is used in snort.conf and

     * snort is not run as root (even if just in read mode) */

    DefineAllIfaceVars(sc);

#endif

 

Is there another way to enable that?

 

Curious what the thinking is here?

 

Thanks

Mark

 

 

From: Joel Esler (jesler) [mailto:jesler at ...589...] 
Sent: Tuesday, February 17, 2015 12:21 PM
To: Starner, Mark
Cc: snort-users at lists.sourceforge.net <mailto:snort-users at ...5870....net> 
Subject: Re: [Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0?

 

Unfortunately that disables everything that we test against with the ruleset.  I suggest you not do that. 

 

 

On Feb 17, 2015, at 12:03 PM, Starner, Mark <mark.starner at ...5850... <mailto:mark.starner at ...5850...> > wrote:

 

I retract my question. I configured “—enable-sourcefire” for the first time and found the comment in parser.c that said the $IF_ADDRESS variables are not defined if Sourcefire is enabled and snort is not running as root. So I recompiled without “—enable-sourcefire” and all is well.

 

Maybe this will help anyone else who comes across this.

 

Mark

 

 

From: Starner, Mark [mailto:mark.starner at ...5850...] 
Sent: Tuesday, February 17, 2015 11:33 AM
To: snort-users at lists.sourceforge.net <mailto:snort-users at ...5870....net> 
Subject: [Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0?

 

I use $eth1_ADDRESS in one of my local rules, and when snort 2.9.7.0 starts, it says:

ERROR: rules/local.rules(8) Undefined variable in the string: $eth1_ADDRESS.

 

I think I encountered this with a previous upgrade, but I don’t recall how I resolved it.

 

So

1)      Is this still valid with 2.9.7.0?

2)      If Yes, then what would cause this NOT to be defined (yes, I verified I have an eth1 and it has an IP address defined.

 

Thanks

Mark

 

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631 <http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________> &iu=/4140/ostg.clktrk_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net <mailto:Snort-users at lists.sourceforge.net> 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

 

Define it at the start of local.rules:

ipvar eth1_ADDRESS <ip.address>

James

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150217/fd73031e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 9426 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150217/fd73031e/attachment.bin>


More information about the Snort-users mailing list