Snort mailing list archives
[SPAM] Re: Snort variables longer than 65535 bytes
From: Dave Venman <dave.venman () yahoo co uk>
Date: Mon, 2 Dec 2013 08:50:41 +0000
Jon: At the risk of coming across as flippant, I would suggest that the workaround is to review the variables and reduce their size. I would hazard a guess that the variables causing the problem have grown organically over the years, and this has led to that situation. 64K for a list of IPs or ports ? Very odd. On Tue, Nov 19, 2013 at 8:24 PM, Jon Larson <jon () catbird com> wrote:
In my snort configuration I have a variable that's really long, split over multiple lines that are each about 12k. When I go to start snort I get this error in /var/log/messages: FATAL ERROR: /opt/company/etc/vars.conf(67) Rule greater than or equal to 65535 characters which is more than the parser is willing to handle. Submit a bug to bugs () snort org if you legitimately feel like your rule or keyword configuration needs more than this amount of space. I see in the code (src/rules.h) this: #define PARSERULE_SIZE (65535) We're using version 2.9.4.1. Has this been addressed in a future release? Or, can someone suggest a workaround that's short of changing the snort code? -- Jon Larson Software Engineer Catbird, * Real Security for the Virtual World * jon () catbird com | 1-866-682-0080 | www.catbird.com <http://www.twitter.com/@CatbirdSecurity> <http://www.linkedin.com/company/catbird-networks> <https://www.youtube.com/user/CatbirdSecurity> <http://www.facebook.com/catbirdsecurevirtualization> <https://plus.google.com/107946134686380966108/posts> ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- [SPAM] Re: Snort variables longer than 65535 bytes Dave Venman (Dec 02)