[Snort-devel] Snort variables longer than 65535 bytes
kumba at ...2185...
Mon Dec 2 08:39:59 EST 2013
I'd also break out an IP calculator and see if some of the addresses can't
be merged using CIDR blocks. That would shorten the address strings up a bit.
On 12/02/2013 8:22 AM, Russ Combs wrote:
> That hasn't been changed since 22.214.171.124 but you should get the latest
> version for the many fixes and enhancements. If you compile from source,
> you can change that value to one that suits your needs.
> The value is somewhat arbitrary, but needing more than that is interesting.
> If you can share what exactly you are trying to do, we can take a look at
> changing it. Just need a compelling use case.
> On Tue, Nov 19, 2013 at 3:24 PM, Jon Larson <jon at ...3287...> wrote:
>> In my snort configuration I have a variable that's really long, split
>> over multiple lines that are each about 12k. When I go to start snort I
>> get this error in /var/log/messages:
>> FATAL ERROR: /opt/company/etc/vars.conf(67) Rule greater than or equal to
>> 65535 characters which is more than the parser is willing to handle.
>> Submit a bug to bugs at ...835... if you legitimately feel like your rule or
>> keyword configuration needs more than this amount of space.
>> I see in the code (src/rules.h) this:
>> #define PARSERULE_SIZE (65535)
>> We're using version 126.96.36.199. Has this been addressed in a future
>> release? Or, can someone suggest a workaround that's short of changing the
>> snort code?
>> Jon Larson
>> Software Engineer
>> Catbird, * Real Security for the Virtual World *
>> jon at ...3287... | 1-866-682-0080 | www.catbird.com
More information about the Snort-devel