[Snort-users] maximum length for msg?

Alex Kirk alex.kirk at ...1935...
Fri Sep 16 06:39:00 EDT 2005


Dirk Geschke wrote:

>Hi Alex,
>
>  
>
>>You are correct about that line being present in decode.h. However, that 
>>#define doesn't seem to have any effect on Snort's ability to deal with 
>>longer msg strings. For example, I tested 2.3.3 and 2.4 with a fake rule 
>>designed to maximize the length of that string:
>>    
>>
>
>yes, but you did not check all output-plugins:
>  
>
Which is why I generally recommended not using longer msg strings, why I 
was so cautious to note that I had not read all of the relevant code, 
and why I stated that I might be missing something that would break as a 
result of this.

>output-plugins/spo_alert_unixsock.c, line 197:              
>
> strlen(msg)>ALERTMSG_LENGTH-1 ? ALERTMSG_LENGTH - 1 : strlen(msg));
>
>Ok, I think no one really wants to use a message larger than 255 
>bytes...
>  
>
Which is probably true from a usability perspective anyway -- if you've 
got a msg string bigger than that, it's going to be a lot to read, and 
it's probably going to be so specific/detailed/whatever that it won't 
make sense to anyone except the person who wrote it.

Alex Kirk
Research Analyst
Sourcefire, Inc.




More information about the Snort-users mailing list