Snort mailing list archives
RE: icmp large packets & ASN.1 Attack
From: "Grime, Richard S" <richard.grime () ic ac uk>
Date: Thu, 7 Nov 2002 10:16:51 -0000
We saw the same thing with the ASN preprocessor - looking at the packets, it appeared to be MS Exchange / Outlook traffic. Richard -----Original Message----- From: Robert Young [mailto:kwailoe () pacbell net] Sent: 06 November 2002 22:19 To: snort-users () lists sourceforge net Subject: [Snort-users] icmp large packets & ASN.1 Attack I am running snort -1.9.0 and it has oversite over a network of both MAC and Windows machines. I am recieving a very large number of detects on the icmp large packets rule more from inside my net than out. Does any one know if the large ICMP packets are a trait of the MAC os 10. Also recently I have been recieving detects as follows: **115:5:1 (spp_ans1) ASN.1 Attacks: Datum length Packet Length ** 11/05-01:50:56.340619 142.167.70.156 4251 > 208.209.130.2 161 UDP TTL:114 TOS )x28 ID 20774 IPlen:20 Dgmlen 265. I checked and the ASN1 preprocessor is still experimental. however, I received thousands of detects each second and after three hours the snort alert log grew from 0 to 2,147,483,647 in size. The snort box has crashed several times and indicates it is due to the packets exceeding an authorized length. I have shut the preprocessor off and blocked the IP addresses sending the traffic. Can any one explain what the traffic may be. Thanks for any input Bob Young ------------------------------------------------------- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- icmp large packets & ASN.1 Attack Robert Young (Nov 06)
- Re: icmp large packets & ASN.1 Attack Robby Desmond (Nov 07)
- <Possible follow-ups>
- RE: icmp large packets & ASN.1 Attack Grime, Richard S (Nov 07)