[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-devel
Subject: [Snort-devel] snort-1.81-beta5: eth0_ADDRESS substitution
From: Sven Carstens <s.carstens () gmx ! de>
Date: 2001-07-31 9:47:09
[Download RAW message or body]
Am Sun, 30 Jul 2001 schrieb Martin Roesch <roesch@sourcefire.com>:
> Try 'var HOME_NET $eth0_address', that should work. Additionally,
> please update to http://www.snort.org/files/snort-1.8.1-beta5.tar.gz,
> that's a much better version than 1.8-RELEASE.
Been there, done that and goofed again!
Am Sun, 30 Jul 2001 schrieb Fyodor <fygrave@tigerteam.net>:
> hmm.. shouldn't it be eth0:0_ADDRESS? :) also is there any chance to
> rebuild snort with debugging options and show us the output? :)
I grabbed 1.8.1-beta5 and build it with debug output enabled.
Installed it on my development machine with network setup as follows
-------------------------------------------------------
eth0 Link encap:Ethernet HWaddr 00:80:C8:F5:83:7C
inet addr:192.168.0.107 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::280:c8ff:fef5:837c/10 Scope:Link
inet6 addr: fe80::80:c8f5:837c/10 Scope:Link
-------------------------------------------------------
I assume that the ExpandVars bit is relevant.
snort.conf is only one line
-------------------------------------------------------
var HOME_NET $eth0_address
-------------------------------------------------------
debug output (preprocessors snipped) is:
-------------------------------------------------------
Parsing Rules file snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
initial idx set to '
'
[*] Processing rule: var HOME_NET $eth0_address
ExpandVars, Before: var HOME_NET $eth0_address
ExpandVars, After: var HOME_NET 216.250.40.64/4.0.0.0
mstring.c:110: [*] Splitting string: var HOME_NET 216.250.40.64/4.0.0.0
mstring.c:111: curr_str = 0
mstring.c:138: max_strs = 9 curr_str = 0
mstring.c:156: Allocating 4 bytes for token mstring.c:170: tok[0]: var
mstring.c:175: curr_str = 1
mstring.c:177: max_strs = 9 curr_str = 1
mstring.c:183: Checking if curr_str (1) >= max_strs (9)
mstring.c:156: Allocating 9 bytes for token mstring.c:170: tok[1]: HOME_NET
mstring.c:175: curr_str = 2
mstring.c:177: max_strs = 9 curr_str = 2
mstring.c:183: Checking if curr_str (2) >= max_strs (9)
mstring.c:248: Allocating 22 bytes for last token mstring.c:258: tok[2]: 216.250.40.64/4.0.0.0
mstring.c:263: mSplit got 3 tokens!
[*] Rule start
Rule type: Variable
0 Snort rules read...
0 Option Chains linked into 0 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
-------------------------------------------------------
CU Sven
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic