[Snort-sigs] FLOWBITS ERROR

marc norton marc.norton at ...435...
Mon Mar 7 11:33:14 EST 2005


You cannot just remove the cap since the data storage schemes use this 
number prior to the rules actually being read.  For now just use a 
higher limit.  We will be comming out with a more dynamic mechanism as 
Brian suggests shortly.

Brian wrote:
> On Wed, Mar 02, 2005 at 09:35:48AM +0000, Zultan  wrote:
> 
>>I tried Matthew Watchinski's suggestion and set "config
>>flowbits_size: 64" and that fixed the problem.
>>
>>I just guessed when choosing 64. What is the number for?  Meg of
>>memory allocated?
> 
> 
> The value was an arbitrary nubmer that fixes your issue.  Anything
> bigger than the number of flowbits you have would solve your issue.
> 
> flowbits uses a dynamically sized bitarray for data storage.  The more
> unique flowbits you have, the larger the bit array you store, however
> the storage is only 1 bit per flowbit (rounded up to the nearest
> byte).
> 
> The original code I wrote that added flowbits didn't include this
> arbitrary cap, since if you need the flowbits you need the flowbits.
> 
> Its trivial to remove the arbitrary cap.  If you are really concerned,
> go hack the code to remove the upper limit.  You won't break anything
> by toasting the upper limit.
> 
> Brian
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 

-- 
Marc Norton   Snort Team Lead
410-423-1924  mnorton at ...435...
www.snort.org www.sourcefire.com




More information about the Snort-sigs mailing list