Three types of variables may be defined in Snort:

These are simple substitution variables set with the var, ipvar, or portvar keywords as follows:

    var RULES_PATH rules/
    portvar MY_PORTS [22,80,1024:1050]
    ipvar MY_NET [,]
    alert tcp any any -> $MY_NET $MY_PORTS (flags:S; msg:"SYN packet";)
    include $RULE_PATH/example.rule


Eugene Misnik 2013-05-08