Snort mailing list archives
Re: maximum length for msg?
From: Alex Kirk <alex.kirk () sourcefire com>
Date: Fri, 16 Sep 2005 09:11:05 -0400
Dirk,You are correct about that line being present in decode.h. However, that #define doesn't seem to have any effect on Snort's ability to deal with longer msg strings. For example, I tested 2.3.3 and 2.4 with a fake rule designed to maximize the length of that string:
alert tcp any any -> any any (msg:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";)
and I got the full msg string in my alerts.I don't know that I'd necessarily recommend a msg string over 255 bytes in light of the #define here -- I'm not familiar with that piece of the code, and I may be unaware of some feature that would be broken by a longer string -- but at the very least such a string shouldn't kill Snort, and if you're in an environment where you can afford to take the risk that your msg string may be truncated, there's nothing that I can see holding you back from giving it a shot.
Alex Kirk Research Analyst Sourcefire, Inc.
Hi Alex,There's no specific length maximum for the msg; as long as you keep your rule below 1,024 characters, you'll be fine.are you sure about this? At least I remember this as part of decode.h: #define ALERTMSG_LENGTH 256 So I guess more than 255 characters in the messags won't make any sense, or? So maybe snort can read more characters from the rule but internally it only uses up to 255... Best regards Dirk
------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- postscan Ron Jenkins (Sep 15)
- RE: postscan Paul Melson (Sep 15)
- Re: postscan Jeff Kell (Sep 15)
- Re: postscan Michael Sierchio (Sep 15)
- RE: postscan Paul Melson (Sep 15)
- Re: postscan Jeff Kell (Sep 15)
- RE: postscan Paul Melson (Sep 15)
- maximum length for msg? Peggy Kam (Sep 15)
- Re: maximum length for msg? Alex Kirk (Sep 15)
- Re: maximum length for msg? Dirk Geschke (Sep 16)
- Re: maximum length for msg? Alex Kirk (Sep 16)
- Re: maximum length for msg? Dirk Geschke (Sep 16)
- Re: maximum length for msg? Alex Kirk (Sep 16)
- Re: maximum length for msg? Alex Kirk (Sep 15)