From d66564fe23f8ec4fb5827504bed7b651fe25d52a Mon Sep 17 00:00:00 2001
From: MDLeom <2809763-curben@users.noreply.gitlab.com>
Date: Fri, 19 Mar 2021 22:16:30 +0000
Subject: [PATCH] docs: limitation of snort2

---
 script.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/script.sh b/script.sh
index dd497dc0..c658f1c9 100644
--- a/script.sh
+++ b/script.sh
@@ -309,6 +309,7 @@ while read URL; do
   HOST=$(echo "$URL" | cut -d"/" -f1)
   URI=$(echo "$URL" | sed -e "s/^$HOST//" -e "s/;/\\\;/g")
 
+  # Snort2 only supports <=2047 characters of `content`
   SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$(echo $URI | cut -c -2047)\"; http_uri; nocase; content:\"$HOST\"; content:\"Host\"; http_header; classtype:trojan-activity; sid:$SID; rev:1;)"
 
   SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"urlhaus-filter malicious website detected\"; http_header:field host; content:\"$HOST\",nocase; http_uri; content:\"$URI\",nocase; classtype:trojan-activity; sid:$SID; rev:1;)"