[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-devel
Subject:    [Snort-devel] snort-1.81-beta5: eth0_ADDRESS substitution
From:       Sven Carstens <s.carstens () gmx ! de>
Date:       2001-07-31 9:47:09
[Download RAW message or body]

Am Sun, 30 Jul 2001 schrieb Martin Roesch <roesch@sourcefire.com>:
> Try 'var HOME_NET $eth0_address', that should work.  Additionally,
> please update to http://www.snort.org/files/snort-1.8.1-beta5.tar.gz,
> that's a much better version than 1.8-RELEASE.

Been there, done that and goofed again!

Am Sun, 30 Jul 2001 schrieb Fyodor <fygrave@tigerteam.net>:
> hmm.. shouldn't it be eth0:0_ADDRESS? :) also is there any chance to
> rebuild snort with debugging options and show us the output? :)

I grabbed 1.8.1-beta5 and build it with debug output enabled.
Installed it on my development machine with network setup as follows

-------------------------------------------------------
eth0      Link encap:Ethernet  HWaddr 00:80:C8:F5:83:7C
          inet addr:192.168.0.107  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::280:c8ff:fef5:837c/10 Scope:Link
          inet6 addr: fe80::80:c8f5:837c/10 Scope:Link
-------------------------------------------------------

I assume that the ExpandVars bit is relevant.
snort.conf is only one line

-------------------------------------------------------
var HOME_NET $eth0_address
-------------------------------------------------------

debug output (preprocessors snipped) is:

-------------------------------------------------------
Parsing Rules file snort.conf
 
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
initial idx set to '
'
[*] Processing rule: var HOME_NET $eth0_address
 
ExpandVars, Before: var HOME_NET $eth0_address
ExpandVars, After: var HOME_NET 216.250.40.64/4.0.0.0
mstring.c:110: [*] Splitting string: var HOME_NET 216.250.40.64/4.0.0.0
mstring.c:111: curr_str = 0
mstring.c:138: max_strs = 9  curr_str = 0
mstring.c:156: Allocating 4 bytes for token mstring.c:170: tok[0]: var
mstring.c:175: curr_str = 1
mstring.c:177: max_strs = 9  curr_str = 1
mstring.c:183: Checking if curr_str (1) >= max_strs (9)
mstring.c:156: Allocating 9 bytes for token mstring.c:170: tok[1]: HOME_NET
mstring.c:175: curr_str = 2
mstring.c:177: max_strs = 9  curr_str = 2
mstring.c:183: Checking if curr_str (2) >= max_strs (9)
mstring.c:248: Allocating 22 bytes for last token mstring.c:258: tok[2]: 216.250.40.64/4.0.0.0
mstring.c:263: mSplit got 3 tokens!
[*] Rule start
Rule type: Variable
0 Snort rules read...
0 Option Chains linked into 0 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
-------------------------------------------------------

CU Sven


_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-devel

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic