Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Development » bug - Snort 2.4.3 Variables don't expand within {}

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

bug - Snort 2.4.3 Variables don't expand within {}


Posted by arekkusa on January 09, 2006 05:23:51

This bug, was reported in 2003 (snort version 2.0.0).

https://sourceforge.net/tracker/?func=detail&atid=103357&aid=733098&group_id=3357

I have tried to use variables inside a ruletype brackets in a snort v2.4.3 and I have the same problem.

Any ideas?

Thanks in advance.

Posted by brevizniak on January 09, 2006 07:55:33

variables do not operate within curly braces. You need to use brackets.

[10.1.2.0/24,192.168.0.0/16]

Posted by arekkusa on January 09, 2006 08:55:47

sorry, I think you didn't understand me.

I mean that a declarated variable in a config file it isn't visible inside a ruletype { }.

example:

var INTERFACE eth1

ruletype test
{
type alert
output alert_CSV: $INTERFACE.log default
}

Snort doesn't remplace $INTERFACE with "eth1" inside the ruletype.

I think this didn't happen in versions previous to 2.0.0

Thanks

Posted by brevizniak on January 09, 2006 09:00:46

Gotcha. Varibles do not expand anywhere except within rules.

Posted by arekkusa on January 09, 2006 09:08:25

sure?

Variables works in output declarations.

Example:

var INTERFACE eth1

output alert_CVS: $INTERFACE.log default

This configuration works properly.

I read that in version 1.xx the variables worked in ruletype too.

Thanks

Posted by brevizniak on January 09, 2006 09:21:57

I am sure that the only place variables are guaranteed to work are within rules.

~/snort-2.4.3/src/output-plugins $ grep -Ri expandvar *
parser.c: strncpy(rule, ExpandVars(prule), PARSERULE_SIZE-1);
parser.c: * Function: ExpandVars(char *)
parser.c:char *ExpandVars(char *string)
parser.c: DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES, "ExpandVars, Before: %s\n", string););
parser.c: DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES, "ExpandVars, After: %s\n", estring););
parser.h:char *ExpandVars(char *);


~/snort-2.4.3/src/output-plugins $ grep -i vari *
Makefile:# Tell versions [3.59,3.63) of GNU make to not export all variables.
Makefile.in:# Tell versions [3.59,3.63) of GNU make to not export all variables.
spo_alert_syslog.c: FatalError("%s(%d) => Undefined variable %s\n",
spo_alert_unixsock.h: u_int8_t alertmsg[ALERTMSG_LENGTH]; /* variable.. */
spo_database.c:/******** Global Variables ********************************************/
spo_database.c: ErrorMessage("database : ORACLE_HOME environment variable not set\n");
spo_log_tcpdump.c:extern PV pv; /* program variables struct */
spo_unified.c:/* ----------------External variables -------------------- */
spo_unified.c:/* -------------------- Global Variables ----------------------*/

Feel free to instrument areas where you need variable expansion using ExpandVars

site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.