[Snort-devel] Snort variables longer than 65535 bytes

Russ Combs rcombs at ...402...
Mon Dec 2 08:22:35 EST 2013


That hasn't been changed since 2.9.4.1 but you should get the latest
version for the many fixes and enhancements.  If you compile from source,
you can change that value to one that suits your needs.

The value is somewhat arbitrary, but needing more than that is interesting.
 If you can share what exactly you are trying to do, we can take a look at
changing it.  Just need a compelling use case.

Russ



On Tue, Nov 19, 2013 at 3:24 PM, Jon Larson <jon at ...3287...> wrote:

>  In my snort configuration I have a variable that's really long, split
> over multiple lines that are each about 12k.  When I go to start snort I
> get this error in /var/log/messages:
>
> FATAL ERROR: /opt/company/etc/vars.conf(67) Rule greater than or equal to
> 65535 characters which is more than the parser is willing to handle.
> Submit a bug to bugs at ...835... if you legitimately feel like your rule or
> keyword configuration needs more than this amount of space.
>
> I see in the code (src/rules.h) this:
> #define PARSERULE_SIZE         (65535)
>
> We're using version 2.9.4.1.  Has this been addressed in a future
> release?  Or, can someone suggest a workaround that's short of changing the
> snort code?
>
> --
>
> Jon Larson
> Software Engineer
> Catbird, * Real Security for the Virtual World *
> jon at ...3287... | 1-866-682-0080 | www.catbird.com
>
>   <http://www.twitter.com/@CatbirdSecurity>
> <http://www.linkedin.com/company/catbird-networks>
> <https://www.youtube.com/user/CatbirdSecurity>
> <http://www.facebook.com/catbirdsecurevirtualization>
> <https://plus.google.com/107946134686380966108/posts>
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131202/e2ba7daa/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: twitter.png
Type: image/png
Size: 3424 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131202/e2ba7daa/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: g+.png
Type: image/png
Size: 3393 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131202/e2ba7daa/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linkedIn.png
Type: image/png
Size: 3434 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131202/e2ba7daa/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: catbird_logo-100-30.png
Type: image/png
Size: 3014 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131202/e2ba7daa/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: facebook.png
Type: image/png
Size: 3435 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131202/e2ba7daa/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: youtube.png
Type: image/png
Size: 3317 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131202/e2ba7daa/attachment-0005.png>


More information about the Snort-devel mailing list