[Snort-users] Snort 2.8.3 SID rule value upper bound?

Geoff Whittington geoff.whittington at ...11827...
Tue Dec 2 12:07:36 EST 2008


First, thank-you for your replies - I've been away from the office
hence my late reply.

We encountered an event when a signature required a large number of
rules and it broke our typical <10 rule assumption. In a perfect world
a doubling would help us. We ended working around the issue, however.

Best wishes,
 - Geoff

On Sat, Nov 15, 2008 at 9:12 PM, Todd Wease <twease at ...1935...> wrote:
> Hi Geoff,
>
> I don't believe sids greater than 2147483647 have ever been supported.
> Just did a quick check with 2.6.1.5 and looked at CVS and the code that
> sets the sid uses atoi() and has never been changed.  Do you have a need
> for larger sids?  If so, I believe it would be an easy fix to up this to
> 4294967295.
>
> Todd
>
> Matt Olney wrote:
>> Er....  MAX_INT?
>>
>> Seems like there was a guy on irc a bit ago who had a very high sid
>> that looped.  We thought that max_int was the problem, but I'm not
>> sure we checked source code.
>>
>> I'm waiting for a table, so I can't check ;)
>>
>> Sent from my iPhone
>>
>> On Nov 14, 2008, at 5:31 PM, "Geoff Whittington" <geoff.whittington at ...11827...
>>  > wrote:
>>
>>
>>> Hello,
>>>
>>> Can someone confirm the maximum value that can be defined for a rule
>>> sid ? I seem to be seeing unreliable behaviour when a rule is defined
>>> with a sid > 2147483646.
>>>
>>> This does not seem to affect 2.4.5, or 2.6.1.5.
>>>
>>> Cheers,
>>> - Geoff
>>>
>>> ---
>>> ----------------------------------------------------------------------
>>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>>> challenge
>>> Build the coolest Linux based applications with Moblin SDK & win
>>> great prizes
>>> Grand prize is a trip for two to an Open Source event anywhere in
>>> the world
>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list