Snort mailing list archives
Re: Snort 2.8.3 SID rule value upper bound?
From: "Geoff Whittington" <geoff.whittington () gmail com>
Date: Tue, 2 Dec 2008 12:07:36 -0500
First, thank-you for your replies - I've been away from the office hence my late reply. We encountered an event when a signature required a large number of rules and it broke our typical <10 rule assumption. In a perfect world a doubling would help us. We ended working around the issue, however. Best wishes, - Geoff On Sat, Nov 15, 2008 at 9:12 PM, Todd Wease <twease () sourcefire com> wrote:
Hi Geoff, I don't believe sids greater than 2147483647 have ever been supported. Just did a quick check with 2.6.1.5 and looked at CVS and the code that sets the sid uses atoi() and has never been changed. Do you have a need for larger sids? If so, I believe it would be an easy fix to up this to 4294967295. Todd Matt Olney wrote:Er.... MAX_INT? Seems like there was a guy on irc a bit ago who had a very high sid that looped. We thought that max_int was the problem, but I'm not sure we checked source code. I'm waiting for a table, so I can't check ;) Sent from my iPhone On Nov 14, 2008, at 5:31 PM, "Geoff Whittington" <geoff.whittington () gmail com > wrote:Hello, Can someone confirm the maximum value that can be defined for a rule sid ? I seem to be seeing unreliable behaviour when a rule is defined with a sid > 2147483646. This does not seem to affect 2.4.5, or 2.6.1.5. Cheers, - Geoff --- ---------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.8.3 SID rule value upper bound? Geoff Whittington (Nov 14)
- Re: Snort 2.8.3 SID rule value upper bound? Matt Olney (Nov 14)
- Re: Snort 2.8.3 SID rule value upper bound? Todd Wease (Nov 15)
- Re: Snort 2.8.3 SID rule value upper bound? Geoff Whittington (Dec 02)
- Re: Snort 2.8.3 SID rule value upper bound? Todd Wease (Nov 15)
- Re: Snort 2.8.3 SID rule value upper bound? Matt Olney (Nov 14)