Adam Keeton firstname.lastname@example.org
Documentation last update 2007-08-08
The Snort configuration file allows a user to declare and use variables for configuring Snort. Variables may contain a string (such as to be used in a path), IPs, or ports.
NOTE: The behavior for negating IP, IP lists, and CIDR blocks has changed! See the IP Variables and IP Lists section below for more information.
IPs may be specified individually, in a list, as a CIDR block, or any combination of the three. IP variables should be specified using ‘ipvar’ instead of ‘var’. Using ‘var’ for an IP variable is still allowed for backward compatibility, but it will be deprecated in a future release.
Lists of IPs or CIDR blocks must be enclosed in square brackets.
IPs, IP lists, and CIDR blocks may be negated with ‘!’. Negation is handled differently compared with Snort versions 2.7.x and earlier. Previously, each element in a list was logically OR’ed together. IP lists now OR non-negated elements and AND the result with the OR’ed negated elements. For example:
The list: [184.108.40.206,220.127.116.11/24,![18.104.22.168,22.214.171.124]] Will match the IP 126.96.36.199 and IP from 188.8.131.52 to 184.108.40.206, with the exception of 220.127.116.11 and 18.104.22.168.
The order of elements in the list does not matter. The element ‘any’ can be used to match all IPs, although ‘!any’ is not allowed. Also, negated IP ranges that are more general than non-negated IP ranges are not allowed.
Examples of valid uses of IP variables and lists:
ipvar EXAMPLE [22.214.171.124,126.96.36.199/24,![188.8.131.52,184.108.40.206]] alert tcp $EXAMPLE any -> any any (msg:"Example"; sid:1;) alert tcp [220.127.116.11/8,!18.104.22.168/24] any -> any any (msg:"Example";sid:2;)
Examples of invalid uses of IP variables and lists:
Use of !any: ipvar EXAMPLE any alert tcp !$EXAMPLE any -> any any (msg:"Example";sid:3;) Or: ipvar EXAMPLE !any alert tcp $EXAMPLE any -> any any (msg:"Example";sid:3;) Logical contradictions: ipvar EXAMPLE [22.214.171.124,!126.96.36.199] Nonsensical negations: ipvar EXAMPLE [188.8.131.52/24,!184.108.40.206/16]
Portlists supports the declaration and lookup of ports and the representation
of lists and ranges of ports. Variables, ranges, or lists may all be negated
with ‘!’. Also, ‘any’ will specify any ports, but ‘!any’ is not allowed.
Valid port ranges are from 0 to 65535.
Lists of ports must be enclosed in brackets and port ranges may be specified with a ‘:’, such as in:
Port variables should be specified using ‘portvar’. The use of ‘var’ to declare a port variable will be deprecated in a future release. For backwards compatibility, a ‘var’ can still be used to declare a port variable, provided the variable name either ends with ‘PORT’ or begins with ‘PORT’.
Examples of valid uses of port variables and port lists:
portvar EXAMPLE1 80 var EXAMPLE2_PORT [80:90] var PORT_EXAMPLE2  portvar EXAMPLE3 any portvar EXAMPLE4 [!70:90] portvar EXAMPLE5 [80,91:95,100:200] alert tcp any $EXAMPLE1 -> any $EXAMPLE2_PORT (msg:"Example"; sid:1;) alert tcp any $PORT_EXAMPLE2 -> any any (msg:"Example"; sid:2;) alert tcp any 90 -> any [100:1000,9999:20000] (msg:"Example"; sid:3;)
Invalid uses port variables and port lists:
Use of !any: portvar EXAMPLE5 !any var EXAMPLE5 !any Logical contradictions: portvar EXAMPLE6 [80,!80] Ports out of range: portvar EXAMPLE7  Incorrect declaration and use of a port variable: var EXAMPLE8 80 alert tcp any $EXAMPLE8 -> any any (msg:"Example"; sid:4;) Port variable used as an IP: alert tcp $EXAMPLE1 any -> any any (msg:"Example"; sid:5;)
When embedding variables, types can not be mixed. For instance, port variables can be defined in terms of other port variables, but old-style variables (with the ‘var’ keyword) can not be embedded inside a ‘portvar’.
Valid embedded variable: portvar pvar1 80 portvar pvar2 [$pvar1,90] Invalid embedded variable: var pvar1 80 portvar pvar2 [$pvar,90]
Likewise, variables can not be redefined if they were previously defined as a different type. Instead, a different name should be used.
When defining a port variable or an IP variable, do not use a regular variable in the definition:
Invalid definition: var regularvar 80 portvar pvar $regularvar