[Snort-users] max flowbits fatal errors

Kungu Panda kungupanda at ...11827...
Thu Oct 7 15:55:12 EDT 2010


Thank you Russ, I very much appreciate the response.

Yes, I am building from source.

I will disable several of the lower-priority rules until this can get
patched.  This will be somewhat painful as our dataflows are pretty unique
and, obviously, we use flowbits heavily.

Will there be a specific bug id# that I can watch-out for?

K.Panda



On Thu, Oct 7, 2010 at 7:23 PM, Russ Combs <rcombs at ...1935...> wrote:

> Looks like that option is broken.  I'll create a bug for it.
>
> Are building from source?
>
> You are so close to the limit, are there any rules you can disable?
>
> On Thu, Oct 7, 2010 at 9:55 AM, Kungu Panda <kungupanda at ...11827...> wrote:
>
>> I am running into the following fatal error when starting snort:
>>
>>   "ERROR: FLOWBITS: The number of flowbit IDs in the current ruleset (513)
>> exceed the maximum number of IDs that are allowed (512)."
>>   "Fatal Error, Quitting."
>>
>> I tried setting the global configuration option in snort.conf:  "config
>> flowbits_size: 768"  which really resulted in the really confusing error:
>>   "ERROR: /etc/snort/snort.conf  Invalid argument to 'flowbits_size':
>> 768.  Must be a positive integer and less than 256."
>>
>> Running on snort v2.8.6.1.
>> Tried finding help in the snort manual and README.flowbits with no
>> success.
>> Also did not find any command-line options that would help.
>>
>> Can someone point me in the right direction regarding bumping-up the
>> maximum number of flowbits IDs ?
>> And what exactly does the "config flowbits_size: nnn"  configuration
>> option do ?
>>
>> Thank you,
>> K.Panda
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Beautiful is writing same markup. Internet Explorer 9 supports
>> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
>> Spend less time writing and  rewriting code and more time creating great
>> experiences on the web. Be a part of the beta today.
>> http://p.sf.net/sfu/beautyoftheweb
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101007/24edb91a/attachment.html>


More information about the Snort-users mailing list