Snort mailing list archives
Re: Snort variables longer than 65535 bytes
From: Joshua Kinard <kumba () gentoo org>
Date: Mon, 02 Dec 2013 08:39:59 -0500
I'd also break out an IP calculator and see if some of the addresses can't be merged using CIDR blocks. That would shorten the address strings up a bit. --J On 12/02/2013 8:22 AM, Russ Combs wrote:
That hasn't been changed since 2.9.4.1 but you should get the latest version for the many fixes and enhancements. If you compile from source, you can change that value to one that suits your needs. The value is somewhat arbitrary, but needing more than that is interesting. If you can share what exactly you are trying to do, we can take a look at changing it. Just need a compelling use case. Russ On Tue, Nov 19, 2013 at 3:24 PM, Jon Larson <jon () catbird com> wrote:In my snort configuration I have a variable that's really long, split over multiple lines that are each about 12k. When I go to start snort I get this error in /var/log/messages: FATAL ERROR: /opt/company/etc/vars.conf(67) Rule greater than or equal to 65535 characters which is more than the parser is willing to handle. Submit a bug to bugs () snort org if you legitimately feel like your rule or keyword configuration needs more than this amount of space. I see in the code (src/rules.h) this: #define PARSERULE_SIZE (65535) We're using version 2.9.4.1. Has this been addressed in a future release? Or, can someone suggest a workaround that's short of changing the snort code? -- Jon Larson Software Engineer Catbird, * Real Security for the Virtual World * jon () catbird com | 1-866-682-0080 | www.catbird.com
------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort variables longer than 65535 bytes Jon Larson (Nov 22)
- <Possible follow-ups>
- Snort variables longer than 65535 bytes Jon Larson (Dec 01)
- Re: Snort variables longer than 65535 bytes Russ Combs (Dec 02)
- Re: Snort variables longer than 65535 bytes Joshua Kinard (Dec 02)
- Re: Snort variables longer than 65535 bytes Russ Combs (Dec 02)