Project

General

Profile

Actions

Bug #4416

closed

apparent 1000 character limit in threshold.conf IP lists

Added by Jeff Lucovsky about 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

something like:
suppress gen_id 0, sig_id 0, track by_src, ip [lots of chars] (see [0])
will elicit an error:
<Error> - [ERRCODE: SC_ERR_PCRE_GET_SUBSTRING(4)] - pcre_copy_substring failed

shortening this list (see [1]) to less than 1000 characters, will allow it to be successfully loaded.
Workarounds include moving list to a variable in suricata.yaml or splitting into chunks.

[0] Generate a broken list (too long)
$ echo -ne '['; for in in $(seq 1 53); do echo -n '123.123.123.123/32,'; done | head -c -1; echo ']'
[123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32]

[1] Generate a working list (small enough)
$ echo -ne '['; for in in $(seq 1 52); do echo -n '123.123.123.123/32,'; done | head -c -1; echo ']'
[123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32]


Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #2190: apparent 1000 character limit in threshold.conf IP listsClosedJeff LucovskyActions
Actions #1

Updated by Jeff Lucovsky about 3 years ago

  • Copied from Bug #2190: apparent 1000 character limit in threshold.conf IP lists added
Actions #2

Updated by Shivani Bhardwaj about 3 years ago

  • Status changed from Assigned to In Progress
Actions #3

Updated by Shivani Bhardwaj about 3 years ago

  • Status changed from In Progress to Closed
Actions

Also available in: Atom PDF