Project

General

Profile

Feature #3887

yaml: Increase maximum size for address vars

Added by Duane Howard 10 months ago. Updated 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

It appears the maximum length for an address var is 8192 bytes0 when dynamically generating lists for vars in large networks, it is easy to exceed this limit (especially with IPv6 network ranges). Can this be increased?

The only current workaround I'm aware of is to try to dynamically split lists and generate multiple vars which is... a bit unruly

[0] https://github.com/OISF/suricata/blob/master/src/detect-engine-address.c#L746


Related issues

Related to Bug #2190: apparent 1000 character limit in threshold.conf IP listsClosedJeff LucovskyActions
Related to Task #4097: Suricon 2020 brainstormNewVictor JulienActions
#1

Updated by Victor Julien 9 months ago

  • Status changed from New to Assigned
  • Assignee set to Jeff Lucovsky
  • Target version set to 7.0rc1

It would be nice if it can be made dynamic so there is no hardcoded limit.

Target is 7 for now. We can consider backporting if its not intrusive.

#2

Updated by Jeff Lucovsky 8 months ago

I suggest we cap the size allowed when permitting larger sizes.

The current (hard coded) limit is around 8k.

Suggestions for a reasonable upper bound?

#4

Updated by Jason Ish 7 months ago

  • Related to Bug #2190: apparent 1000 character limit in threshold.conf IP lists added
#5

Updated by Jason Ish 7 months ago

  • Related to Task #4097: Suricon 2020 brainstorm added
#6

Updated by Victor Julien 7 months ago

  • Subject changed from Increase maximum size for address vars to yaml: Increase maximum size for address vars
#7

Updated by Jeff Lucovsky 2 months ago

  • Status changed from In Review to Closed

Also available in: Atom PDF