[SPAM] Re: Snort variables longer than 65535 bytes

[Dave Venman <dave.venman () yahoo co uk>]

Jon:

  At the risk of coming across as flippant, I would suggest that the
workaround is to review the variables and reduce their size.

  I would hazard a guess that the variables causing the problem have grown
organically over the years, and this has led to that situation.  64K for a
list of IPs or ports ?  Very odd.


On Tue, Nov 19, 2013 at 8:24 PM, Jon Larson <jon () catbird com> wrote:

>  In my snort configuration I have a variable that's really long, split
> over multiple lines that are each about 12k.  When I go to start snort I
> get this error in /var/log/messages:
>
> FATAL ERROR: /opt/company/etc/vars.conf(67) Rule greater than or equal to
> 65535 characters which is more than the parser is willing to handle.
> Submit a bug to bugs () snort org if you legitimately feel like your rule or
> keyword configuration needs more than this amount of space.
>
> I see in the code (src/rules.h) this:
> #define PARSERULE_SIZE         (65535)
>
> We're using version 2.9.4.1.  Has this been addressed in a future
> release?  Or, can someone suggest a workaround that's short of changing the
> snort code?
>
> --
>
> Jon Larson
> Software Engineer
> Catbird, * Real Security for the Virtual World *
> jon () catbird com | 1-866-682-0080 | www.catbird.com
>
>   <http://www.twitter.com/@CatbirdSecurity>
> <http://www.linkedin.com/company/catbird-networks>
> <https://www.youtube.com/user/CatbirdSecurity>
> <http://www.facebook.com/catbirdsecurevirtualization>
> <https://plus.google.com/107946134686380966108/posts>
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!