Project

General

Profile

Actions

Feature #3887

closed

yaml: Increase maximum size for address vars

Added by Duane Howard about 1 year ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

It appears the maximum length for an address var is 8192 bytes0 when dynamically generating lists for vars in large networks, it is easy to exceed this limit (especially with IPv6 network ranges). Can this be increased?

The only current workaround I'm aware of is to try to dynamically split lists and generate multiple vars which is... a bit unruly

[0] https://github.com/OISF/suricata/blob/master/src/detect-engine-address.c#L746


Related issues

Related to Bug #2190: apparent 1000 character limit in threshold.conf IP listsClosedJeff LucovskyActions
Related to Task #4097: Suricon 2020 brainstormNewVictor JulienActions
Actions #1

Updated by Victor Julien about 1 year ago

  • Status changed from New to Assigned
  • Assignee set to Jeff Lucovsky
  • Target version set to 7.0rc1

It would be nice if it can be made dynamic so there is no hardcoded limit.

Target is 7 for now. We can consider backporting if its not intrusive.

Actions #2

Updated by Jeff Lucovsky 11 months ago

I suggest we cap the size allowed when permitting larger sizes.

The current (hard coded) limit is around 8k.

Suggestions for a reasonable upper bound?

Actions #3

Updated by Jeff Lucovsky 11 months ago

  • Status changed from Assigned to In Review
Actions #4

Updated by Jason Ish 10 months ago

  • Related to Bug #2190: apparent 1000 character limit in threshold.conf IP lists added
Actions #5

Updated by Jason Ish 10 months ago

  • Related to Task #4097: Suricon 2020 brainstorm added
Actions #6

Updated by Victor Julien 10 months ago

  • Subject changed from Increase maximum size for address vars to yaml: Increase maximum size for address vars
Actions #7

Updated by Jeff Lucovsky 5 months ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF