[Snort-users] maximum length for msg?

Alex Kirk alex.kirk at ...1935...
Fri Sep 16 06:12:21 EDT 2005


Dirk,

You are correct about that line being present in decode.h. However, that 
#define doesn't seem to have any effect on Snort's ability to deal with 
longer msg strings. For example, I tested 2.3.3 and 2.4 with a fake rule 
designed to maximize the length of that string:

alert tcp any any -> any any 
(msg:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";)

and I got the full msg string in my alerts.

I don't know that I'd necessarily recommend a msg string over 255 bytes 
in light of the #define here -- I'm not familiar with that piece of the 
code, and I may be unaware of some feature that would be broken by a 
longer string -- but at the very least such a string shouldn't kill 
Snort, and if you're in an environment where you can afford to take the 
risk that your msg string may be truncated, there's nothing that I can 
see holding you back from giving it a shot.

Alex Kirk
Research Analyst
Sourcefire, Inc.

>Hi Alex,
>
>  
>
>>There's no specific length maximum for the msg; as long as you keep your 
>>rule below 1,024 characters, you'll be fine.
>>    
>>
>
>are you sure about this? At least I remember this as part of decode.h:
>
>#define        ALERTMSG_LENGTH 256
>
>So I guess more than 255 characters in the messags won't make any
>sense, or? So maybe snort can read more characters from the rule
>but internally it only uses up to 255...
>
>Best regards
>
>Dirk
>  
>






More information about the Snort-users mailing list