Snort mailing list archives
icmp large packets & ASN.1 Attack
From: Robert Young <kwailoe () pacbell net>
Date: Wed, 06 Nov 2002 14:18:52 -0800
I am running snort -1.9.0 and it has oversite over a network of both MAC and Windows machines. I am recieving a very large number of detects on the icmp large packets rule more from inside my net than out. Does any one know if the large ICMP packets are a trait of the MAC os 10. Also recently I have been recieving detects as follows: **115:5:1 (spp_ans1) ASN.1 Attacks: Datum length Packet Length ** 11/05-01:50:56.340619 142.167.70.156 4251 > 208.209.130.2 161 UDP TTL:114 TOS )x28 ID 20774 IPlen:20 Dgmlen 265. I checked and the ASN1 preprocessor is still experimental. however, I received thousands of detects each second and after three hours the snort alert log grew from 0 to 2,147,483,647 in size. The snort box has crashed several times and indicates it is due to the packets exceeding an authorized length. I have shut the preprocessor off and blocked the IP addresses sending the traffic. Can any one explain what the traffic may be. Thanks for any input Bob Young ------------------------------------------------------- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- icmp large packets & ASN.1 Attack Robert Young (Nov 06)
- Re: icmp large packets & ASN.1 Attack Robby Desmond (Nov 07)
- <Possible follow-ups>
- RE: icmp large packets & ASN.1 Attack Grime, Richard S (Nov 07)