[Snort-devel] Snort variables longer than 65535 bytes

Jon Larson jon at ...3287...
Fri Nov 22 16:52:08 EST 2013


Hello:
In my snort configuration I have a variable that's really long, split 
over multiple lines that are each about 12k.  When I go to start snort I 
get this error in /var/log/messages:

    FATAL ERROR: /opt/company/etc/vars.conf(67) Rule greater than or
    equal to 65535 characters which is more than the parser is willing
    to handle.  Submit a bug to bugs at ...835... if you legitimately feel
    like your rule or keyword configuration needs more than this amount
    of space.

I see in the code (src/rules.h) this:
#define PARSERULE_SIZE         (65535)

We're using version 2.9.4.1.  Has this been addressed in a future 
release?  Or, can someone suggest a workaround that's short of changing 
the snort code?

-- 

Jon Larson
Software Engineer
Catbird, /Real Security for the Virtual World /
jon at ...3287... | 1-866-682-0080 | www.catbird.com

<http://www.twitter.com/@CatbirdSecurity> 
<http://www.linkedin.com/company/catbird-networks> 
<https://www.youtube.com/user/CatbirdSecurity> 
<http://www.facebook.com/catbirdsecurevirtualization> 
<https://plus.google.com/107946134686380966108/posts>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131122/255ef086/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: catbird_logo-100-30.png
Type: image/png
Size: 3014 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131122/255ef086/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: twitter.png
Type: image/png
Size: 3424 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131122/255ef086/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linkedIn.png
Type: image/png
Size: 3434 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131122/255ef086/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: youtube.png
Type: image/png
Size: 3317 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131122/255ef086/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: facebook.png
Type: image/png
Size: 3435 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131122/255ef086/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: g+.png
Type: image/png
Size: 3393 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131122/255ef086/attachment-0005.png>


More information about the Snort-devel mailing list