# [Snort-users] maximum length for msg?

Alex Kirk alex.kirk at ...1935...
Fri Sep 16 06:12:21 EDT 2005

```Dirk,

You are correct about that line being present in decode.h. However, that
#define doesn't seem to have any effect on Snort's ability to deal with
longer msg strings. For example, I tested 2.3.3 and 2.4 with a fake rule
designed to maximize the length of that string:

alert tcp any any -> any any
(msg:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";)

and I got the full msg string in my alerts.

I don't know that I'd necessarily recommend a msg string over 255 bytes
in light of the #define here -- I'm not familiar with that piece of the
code, and I may be unaware of some feature that would be broken by a
longer string -- but at the very least such a string shouldn't kill
Snort, and if you're in an environment where you can afford to take the
risk that your msg string may be truncated, there's nothing that I can
see holding you back from giving it a shot.

Alex Kirk
Research Analyst
Sourcefire, Inc.

>Hi Alex,
>
>
>
>>There's no specific length maximum for the msg; as long as you keep your
>>rule below 1,024 characters, you'll be fine.
>>
>>
>
>
>
>So I guess more than 255 characters in the messags won't make any
>sense, or? So maybe snort can read more characters from the rule
>but internally it only uses up to 255...
>
>Best regards
>
>Dirk
>
>

```