icmp large packets & ASN.1 Attack

[Robert Young <kwailoe () pacbell net>]

I am running snort -1.9.0 and it has oversite over a network of both
MAC  and  Windows machines.  I am  recieving a very large number of
detects on the icmp large packets rule more from inside my net than
out.  Does any one know if the large ICMP packets are a trait of the MAC
os 10.

Also recently I have been recieving detects as follows:

**115:5:1 (spp_ans1) ASN.1 Attacks: Datum length Packet Length **
11/05-01:50:56.340619 142.167.70.156 4251 > 208.209.130.2 161
UDP TTL:114 TOS )x28 ID 20774 IPlen:20 Dgmlen 265.

I checked and the ASN1 preprocessor is still experimental.  however, I
received thousands of detects each second and after three hours the
snort alert log grew from 0 to 2,147,483,647 in size.   The snort box
has crashed several times and indicates it is due to the packets
exceeding an authorized length.  I have shut the preprocessor  off and
blocked the IP addresses sending the traffic.  Can any one explain what
the traffic may be.

Thanks for any input

Bob Young



-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users