Project

General

Profile

Bug #4416

apparent 1000 character limit in threshold.conf IP lists

Added by Jeff Lucovsky 6 days ago.

Status:
Assigned
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

something like:
suppress gen_id 0, sig_id 0, track by_src, ip [lots of chars] (see [0])
will elicit an error:
<Error> - [ERRCODE: SC_ERR_PCRE_GET_SUBSTRING(4)] - pcre_copy_substring failed

shortening this list (see [1]) to less than 1000 characters, will allow it to be successfully loaded.
Workarounds include moving list to a variable in suricata.yaml or splitting into chunks.

[0] Generate a broken list (too long)
$ echo -ne '['; for in in $(seq 1 53); do echo -n '123.123.123.123/32,'; done | head -c -1; echo ']'
[123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32]

[1] Generate a working list (small enough)
$ echo -ne '['; for in in $(seq 1 52); do echo -n '123.123.123.123/32,'; done | head -c -1; echo ']'
[123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32,123.123.123.123/32]


Related issues

Copied from Bug #2190: apparent 1000 character limit in threshold.conf IP listsClosedJeff LucovskyActions
#1

Updated by Jeff Lucovsky 6 days ago

  • Copied from Bug #2190: apparent 1000 character limit in threshold.conf IP lists added

Also available in: Atom PDF