[Snort-devel] Snort variables longer than 65535 bytes

Joshua Kinard kumba at ...2185...
Mon Dec 2 08:39:59 EST 2013

I'd also break out an IP calculator and see if some of the addresses can't
be merged using CIDR blocks.  That would shorten the address strings up a bit.


On 12/02/2013 8:22 AM, Russ Combs wrote:
> That hasn't been changed since but you should get the latest
> version for the many fixes and enhancements.  If you compile from source,
> you can change that value to one that suits your needs.
> The value is somewhat arbitrary, but needing more than that is interesting.
>  If you can share what exactly you are trying to do, we can take a look at
> changing it.  Just need a compelling use case.
> Russ
> On Tue, Nov 19, 2013 at 3:24 PM, Jon Larson <jon at ...3287...> wrote:
>>  In my snort configuration I have a variable that's really long, split
>> over multiple lines that are each about 12k.  When I go to start snort I
>> get this error in /var/log/messages:
>> FATAL ERROR: /opt/company/etc/vars.conf(67) Rule greater than or equal to
>> 65535 characters which is more than the parser is willing to handle.
>> Submit a bug to bugs at ...835... if you legitimately feel like your rule or
>> keyword configuration needs more than this amount of space.
>> I see in the code (src/rules.h) this:
>> #define PARSERULE_SIZE         (65535)
>> We're using version  Has this been addressed in a future
>> release?  Or, can someone suggest a workaround that's short of changing the
>> snort code?
>> --
>> Jon Larson
>> Software Engineer
>> Catbird, * Real Security for the Virtual World *
>> jon at ...3287... | 1-866-682-0080 | www.catbird.com

More information about the Snort-devel mailing list