[Snort-devel] Snort variables longer than 65535 bytes

Joshua Kinard kumba at ...2185...
Mon Dec 2 08:39:59 EST 2013


I'd also break out an IP calculator and see if some of the addresses can't
be merged using CIDR blocks.  That would shorten the address strings up a bit.

--J


On 12/02/2013 8:22 AM, Russ Combs wrote:
> That hasn't been changed since 2.9.4.1 but you should get the latest
> version for the many fixes and enhancements.  If you compile from source,
> you can change that value to one that suits your needs.
> 
> The value is somewhat arbitrary, but needing more than that is interesting.
>  If you can share what exactly you are trying to do, we can take a look at
> changing it.  Just need a compelling use case.
> 
> Russ
> 
> 
> 
> On Tue, Nov 19, 2013 at 3:24 PM, Jon Larson <jon at ...3287...> wrote:
> 
>>  In my snort configuration I have a variable that's really long, split
>> over multiple lines that are each about 12k.  When I go to start snort I
>> get this error in /var/log/messages:
>>
>> FATAL ERROR: /opt/company/etc/vars.conf(67) Rule greater than or equal to
>> 65535 characters which is more than the parser is willing to handle.
>> Submit a bug to bugs at ...835... if you legitimately feel like your rule or
>> keyword configuration needs more than this amount of space.
>>
>> I see in the code (src/rules.h) this:
>> #define PARSERULE_SIZE         (65535)
>>
>> We're using version 2.9.4.1.  Has this been addressed in a future
>> release?  Or, can someone suggest a workaround that's short of changing the
>> snort code?
>>
>> --
>>
>> Jon Larson
>> Software Engineer
>> Catbird, * Real Security for the Virtual World *
>> jon at ...3287... | 1-866-682-0080 | www.catbird.com






More information about the Snort-devel mailing list