Project

General

Profile

Actions
Copy link

Bug #7419

open

Incomplete logging message

Added by Eric Leblond 3 days ago. Updated 3 days ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
7.0.9, git master
Effort:
Difficulty:
Label:

Description

When logging the engine message in the JSON format, we expect to have valid JSON messages so the parsing can be handled correctly by external tool.

But it happens that some messages can exceed the maximum length. For example, the signature max length is 8198 so if a signature is long and invalid it is written to the log by the engine. As the maximum length for message is 2048, we end up with incomplete JSON in the log.

Issue discovered by Juliana: https://github.com/StamusNetworks/suricata-language-server/issues/11

Actions
Copy link
 #1

Updated by Jason Ish 3 days ago

Something like 8k plus some would be OK I think. I guess we'd want to have enough to log a message plus minimum rule size, since the SID is often right at the end!

Actions
Copy link
 #2

Updated by Eric Leblond 3 days ago

Jason Ish wrote in #note-1:

Something like 8k plus some would be OK I think. I guess we'd want to have enough to log a message plus minimum rule size, since the SID is often right at the end!

Would it be overkill to use a dynamic size to avoid any issue ? But to be honest, I don't see how we can have something longer than the error message on signature.

Actions
Copy link

Also available in: Atom PDF