Home page logo

snort logo Snort mailing list archives

Re: Snort variables longer than 65535 bytes
From: Joshua Kinard <kumba () gentoo org>
Date: Mon, 02 Dec 2013 08:39:59 -0500

I'd also break out an IP calculator and see if some of the addresses can't
be merged using CIDR blocks.  That would shorten the address strings up a bit.


On 12/02/2013 8:22 AM, Russ Combs wrote:
That hasn't been changed since but you should get the latest
version for the many fixes and enhancements.  If you compile from source,
you can change that value to one that suits your needs.

The value is somewhat arbitrary, but needing more than that is interesting.
 If you can share what exactly you are trying to do, we can take a look at
changing it.  Just need a compelling use case.


On Tue, Nov 19, 2013 at 3:24 PM, Jon Larson <jon () catbird com> wrote:

 In my snort configuration I have a variable that's really long, split
over multiple lines that are each about 12k.  When I go to start snort I
get this error in /var/log/messages:

FATAL ERROR: /opt/company/etc/vars.conf(67) Rule greater than or equal to
65535 characters which is more than the parser is willing to handle.
Submit a bug to bugs () snort org if you legitimately feel like your rule or
keyword configuration needs more than this amount of space.

I see in the code (src/rules.h) this:
#define PARSERULE_SIZE         (65535)

We're using version  Has this been addressed in a future
release?  Or, can someone suggest a workaround that's short of changing the
snort code?


Jon Larson
Software Engineer
Catbird, * Real Security for the Virtual World *
jon () catbird com | 1-866-682-0080 | www.catbird.com

Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
Snort-devel mailing list
Snort-devel () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]