[Snort-devel] [SPAM] Re: Snort variables longer than 65535 bytes

Dave Venman dave.venman at ...1101...
Mon Dec 2 03:50:41 EST 2013


Jon:

  At the risk of coming across as flippant, I would suggest that the
workaround is to review the variables and reduce their size.

  I would hazard a guess that the variables causing the problem have grown
organically over the years, and this has led to that situation.  64K for a
list of IPs or ports ?  Very odd.


On Tue, Nov 19, 2013 at 8:24 PM, Jon Larson <jon at ...3287...> wrote:

>  In my snort configuration I have a variable that's really long, split
> over multiple lines that are each about 12k.  When I go to start snort I
> get this error in /var/log/messages:
>
> FATAL ERROR: /opt/company/etc/vars.conf(67) Rule greater than or equal to
> 65535 characters which is more than the parser is willing to handle.
> Submit a bug to bugs at ...835... if you legitimately feel like your rule or
> keyword configuration needs more than this amount of space.
>
> I see in the code (src/rules.h) this:
> #define PARSERULE_SIZE         (65535)
>
> We're using version 2.9.4.1.  Has this been addressed in a future
> release?  Or, can someone suggest a workaround that's short of changing the
> snort code?
>
> --
>
> Jon Larson
> Software Engineer
> Catbird, * Real Security for the Virtual World *
> jon at ...3287... | 1-866-682-0080 | www.catbird.com
>
>   <http://www.twitter.com/@CatbirdSecurity>
> <http://www.linkedin.com/company/catbird-networks>
> <https://www.youtube.com/user/CatbirdSecurity>
> <http://www.facebook.com/catbirdsecurevirtualization>
> <https://plus.google.com/107946134686380966108/posts>
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131202/0e81821d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: g+.png
Type: image/png
Size: 3393 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131202/0e81821d/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: youtube.png
Type: image/png
Size: 3317 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131202/0e81821d/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: facebook.png
Type: image/png
Size: 3435 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131202/0e81821d/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: twitter.png
Type: image/png
Size: 3424 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131202/0e81821d/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: catbird_logo-100-30.png
Type: image/png
Size: 3014 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131202/0e81821d/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linkedIn.png
Type: image/png
Size: 3434 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131202/0e81821d/attachment-0005.png>


More information about the Snort-devel mailing list