[Snort-users] maximum length for msg?
alex.kirk at ...1935...
Fri Sep 16 06:39:00 EDT 2005
Dirk Geschke wrote:
>>You are correct about that line being present in decode.h. However, that
>>#define doesn't seem to have any effect on Snort's ability to deal with
>>longer msg strings. For example, I tested 2.3.3 and 2.4 with a fake rule
>>designed to maximize the length of that string:
>yes, but you did not check all output-plugins:
Which is why I generally recommended not using longer msg strings, why I
was so cautious to note that I had not read all of the relevant code,
and why I stated that I might be missing something that would break as a
result of this.
>output-plugins/spo_alert_unixsock.c, line 197:
> strlen(msg)>ALERTMSG_LENGTH-1 ? ALERTMSG_LENGTH - 1 : strlen(msg));
>Ok, I think no one really wants to use a message larger than 255
Which is probably true from a usability perspective anyway -- if you've
got a msg string bigger than that, it's going to be a lot to read, and
it's probably going to be so specific/detailed/whatever that it won't
make sense to anyone except the person who wrote it.
More information about the Snort-users