Project

General

Profile

Actions

Bug #7419

open

Incomplete logging message

Added by Eric Leblond 28 days ago. Updated 28 days ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When logging the engine message in the JSON format, we expect to have valid JSON messages so the parsing can be handled correctly by external tool.

But it happens that some messages can exceed the maximum length. For example, the signature max length is 8198 so if a signature is long and invalid it is written to the log by the engine. As the maximum length for message is 2048, we end up with incomplete JSON in the log.

Issue discovered by Juliana: https://github.com/StamusNetworks/suricata-language-server/issues/11

Actions #1

Updated by Jason Ish 28 days ago

Something like 8k plus some would be OK I think. I guess we'd want to have enough to log a message plus minimum rule size, since the SID is often right at the end!

Actions #2

Updated by Eric Leblond 28 days ago

Jason Ish wrote in #note-1:

Something like 8k plus some would be OK I think. I guess we'd want to have enough to log a message plus minimum rule size, since the SID is often right at the end!

Would it be overkill to use a dynamic size to avoid any issue ? But to be honest, I don't see how we can have something longer than the error message on signature.

Actions

Also available in: Atom PDF