[Snort-devel] Help understanding/modifying limitations on the length and number of variables that can be defined for snort

John Pritchard john.r.pritchard at ...2499...
Thu Aug 2 13:39:02 EDT 2007


I am hoping to gain a better understanding of the limitations around
snort variable definitions (e.g. maximum number of characters that can
be defined for a single variable, max characters for all variables,
how the number of rules impact on these setttings, and how memory
allocations might be modified to address any default settings...).

I've recently been encountering an issue where snort has stopped
parsing all of my pass rules.

In terms of HW specs... my snort processes (two separate ones) are
running on a dedicated linux box with 4GB of memory and four 3.40GHz
Intel Xeon processors.

No errors have been reported (by snort on startup), but when I perform
an analysis of my alerts, it is clear that pass rules that previously
kept alarms from being generated were no longer doing so (either
completely or in some partial capacity)....

Unfortunately, a number of system changes coincided with the change in
the pass rule behavior.
1) Upgraded snort from version 2.4.4 to version 2.6.1.5
2) Modified one of my variable definitions ($STMP_SERVERS) that
increased its length by approximately 30%.

In troubleshooting this issue, I have since been able to return my
pass rules to a functional state by reducing the size of my
$STMP_SERVERS variable definition (from approximately 160 IP addresses
or CIDR ranges, to around 120).

My identification that the length and complexity of snort variable
definitions impacts this issue is what has led me to ask for more
information on the limitations that exist and how they might be
modified.

In this respect, rather than just reducing the size of this variable
(which reduces the accuracy of my definition), I would prefer to
better understand the limitations I'm facing and how to address
constraints around the maximum number of elements that can be defined
within any single variable (or, perhaps, the limitation is based upon
the total number and length of variables defined -- I'm not sure where
the limitation specifically exists).

---
I suspect two issues are at play:
1) The snort parsers "8K limit on variables and rules after expansion"...
http://www.snort.org/docs/faq/3Q06/node84.html
4.31 How long can address lists, variables, or rules be?

2) The "ac" memory allocation method used in snort 2.6.1.5
http://www.snort.org/docs/faq/3Q06/node86.html
4.33 I upgraded to Snort 2.6 and it's using a lot of memory, what's up
with that?

---
My deployment is probably a bit outside of the norm and may be pushing
the envelop in terms of both the number of variables defined, as well
as the size of those variables.

If we take a look at my startup of snort, and perform an analysis lines such as:
Var 'NET10' defined, value len = 12 chars, value = [10.0.0.0/8]

Extract the "len =" values, and add them all up...
I get a total that is right around a of 22450 characters used in
variable definitions.
[NOTE: with this total, things seem to work in terms of "pass" rules
executing properly.... it was when I exceeded this value that things
choked].

In terms of the number of variables defined, that's around 280 variables.

In terms of the largest single variable definitions, the biggest one
is more than 1800 characters... with several in excess of 1000
characters in the definition.

My "working" (i.e. pass rules parse as expected) SMTP_SERVERS
definition is just under 1800 characters (and I got it working by
manually dropping IP addresses from the definition until I got the
pass rules to working again)...

So, where/how does this "8K limit" come into play?

Have I exceeded the 8K limit by almost 4 orders of magnitude
already... with having close to 24K characters in my variable
definitions?

I should mention that I've used a bit of a hack with success to
increase the maximum number of elements that can be placed in any
single variable.

Basically, I do something like the following (this is much less
complex than my actual definition, but should give you some idea of
how things get organized):
var SMTP_NET10 [10.0.0.0/8]
var SMTP_NET172
[172.20.20.1,172.20.20.2,172.20.20.3,172.20.20.4,172.20.30.1,172.20.30.2,172.20.30.3,172.20.30.4]
var SMTP_NET192 [192.168.50.1,192.168.50.2,192.168.50.3,192.168.50.4]
var SMTP_SERVERS [$SMTP_NET10,$SMTP_NET172,$SMTP_NET192]

If I am hitting limitations in the snort parser or memory allocations,
does anyone have any ideas on how to modify my configurations so that
I can increase the limit?

Thanks in advance for any suggestions from the team on how to
troubleshoot this issue further.

Cheers,

John




More information about the Snort-devel mailing list