[Snort-sigs] FLOWBITS ERROR
marc.norton at ...435...
Mon Mar 7 11:33:14 EST 2005
You cannot just remove the cap since the data storage schemes use this
number prior to the rules actually being read. For now just use a
higher limit. We will be comming out with a more dynamic mechanism as
Brian suggests shortly.
> On Wed, Mar 02, 2005 at 09:35:48AM +0000, Zultan wrote:
>>I tried Matthew Watchinski's suggestion and set "config
>>flowbits_size: 64" and that fixed the problem.
>>I just guessed when choosing 64. What is the number for? Meg of
> The value was an arbitrary nubmer that fixes your issue. Anything
> bigger than the number of flowbits you have would solve your issue.
> flowbits uses a dynamically sized bitarray for data storage. The more
> unique flowbits you have, the larger the bit array you store, however
> the storage is only 1 bit per flowbit (rounded up to the nearest
> The original code I wrote that added flowbits didn't include this
> arbitrary cap, since if you need the flowbits you need the flowbits.
> Its trivial to remove the arbitrary cap. If you are really concerned,
> go hack the code to remove the upper limit. You won't break anything
> by toasting the upper limit.
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
Marc Norton Snort Team Lead
410-423-1924 mnorton at ...435...
More information about the Snort-sigs