Re: Snort variables longer than 65535 bytes

[Russ Combs <rcombs () sourcefire com>]

That hasn't been changed since 2.9.4.1 but you should get the latest
version for the many fixes and enhancements.  If you compile from source,
you can change that value to one that suits your needs.

The value is somewhat arbitrary, but needing more than that is interesting.
 If you can share what exactly you are trying to do, we can take a look at
changing it.  Just need a compelling use case.

Russ



On Tue, Nov 19, 2013 at 3:24 PM, Jon Larson <jon () catbird com> wrote:

>  In my snort configuration I have a variable that's really long, split
> over multiple lines that are each about 12k.  When I go to start snort I
> get this error in /var/log/messages:
>
> FATAL ERROR: /opt/company/etc/vars.conf(67) Rule greater than or equal to
> 65535 characters which is more than the parser is willing to handle.
> Submit a bug to bugs () snort org if you legitimately feel like your rule or
> keyword configuration needs more than this amount of space.
>
> I see in the code (src/rules.h) this:
> #define PARSERULE_SIZE         (65535)
>
> We're using version 2.9.4.1.  Has this been addressed in a future
> release?  Or, can someone suggest a workaround that's short of changing the
> snort code?
>
> --
>
> Jon Larson
> Software Engineer
> Catbird, * Real Security for the Virtual World *
> jon () catbird com | 1-866-682-0080 | www.catbird.com
>
>   <http://www.twitter.com/@CatbirdSecurity>
> <http://www.linkedin.com/company/catbird-networks>
> <https://www.youtube.com/user/CatbirdSecurity>
> <http://www.facebook.com/catbirdsecurevirtualization>
> <https://plus.google.com/107946134686380966108/posts>
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!