[Snort-users] maximum length for msg?
alex.kirk at ...1935...
Fri Sep 16 06:12:21 EDT 2005
You are correct about that line being present in decode.h. However, that
#define doesn't seem to have any effect on Snort's ability to deal with
longer msg strings. For example, I tested 2.3.3 and 2.4 with a fake rule
designed to maximize the length of that string:
alert tcp any any -> any any
and I got the full msg string in my alerts.
I don't know that I'd necessarily recommend a msg string over 255 bytes
in light of the #define here -- I'm not familiar with that piece of the
code, and I may be unaware of some feature that would be broken by a
longer string -- but at the very least such a string shouldn't kill
Snort, and if you're in an environment where you can afford to take the
risk that your msg string may be truncated, there's nothing that I can
see holding you back from giving it a shot.
>>There's no specific length maximum for the msg; as long as you keep your
>>rule below 1,024 characters, you'll be fine.
>are you sure about this? At least I remember this as part of decode.h:
>#define ALERTMSG_LENGTH 256
>So I guess more than 255 characters in the messags won't make any
>sense, or? So maybe snort can read more characters from the rule
>but internally it only uses up to 255...
More information about the Snort-users