Bug #451

Unable to identify root cause of error parsing a rule when a long 'Source or Destination address list excedd' the maximum size of the buffer available.

Added by Roberto Martelloni about 6 years ago. Updated about 6 years ago.

Target version:
Affected Versions:


When I write a rule with a lot of IPv4 address in the source or destination field I get an error on parsing it and in response suricata don't give useful information to identify the root cause of the problem.

The error message response is bellow and attached there is the rule, so anyone can check that a ']' is not missing and the problem is the ' BIG LIST of IPv4 ADDRESS' :>

19/4/2012 -- 10:43:49 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - not every address block was properly closed in "[ BIG LIST of IPv4 ADDRESS ]", 1 missing closing brackets (]). Note: problem might be in a variable.
19/4/2012 -- 10:43:49 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip [ BIG LIST of IPv4 ADDRESS ] any <> any any (msg:"IP blacklist APT"; reference:url,; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:12345600; rev:2;)" from file /etc/suricata/rules/ip-apt.rules at line 3


#1 Updated by Peter Manev about 6 years ago

Hi ,
Just double checked with Suricata version 1.3dev (rev 61d5fe3), with the ip-apt.rules file provided.
I can confirm the problem.

If the IPs are 89 and below (count, 89 ip addresses ), there is no issues, as soon as they are 90 and above , we get the aforementioned rule failing to load with wrong err msg.


#2 Updated by Anoop Saldanha about 6 years ago

  • Assignee set to Anoop Saldanha

#3 Updated by Victor Julien about 6 years ago

  • Priority changed from Low to Normal
  • Target version changed from 1.2.1 to 1.3beta2
  • Estimated time set to 4.00 h

#5 Updated by Victor Julien about 6 years ago

I think this fix is missing a meaningful error for when the address size limit is reached. Increasing the size certainly limits the possibility of this happening (esp since where is a total rule limit as well). Expansion of vars still allows for overrunning this limit I think, so an error is needed.

#7 Updated by Victor Julien about 6 years ago

  • Status changed from Resolved to Closed

Both applied, thanks Anoop!

Also available in: Atom PDF