Snort mailing list archives

RE: icmp large packets & ASN.1 Attack

From: "Grime, Richard S" <richard.grime () ic ac uk>
Date: Thu, 7 Nov 2002 10:16:51 -0000

We saw the same thing with the ASN preprocessor - looking at the packets, it
appeared to be MS Exchange / Outlook traffic.

Richard

-----Original Message-----
From: Robert Young [mailto:kwailoe () pacbell net] 
Sent: 06 November 2002 22:19
To: snort-users () lists sourceforge net
Subject: [Snort-users] icmp large packets & ASN.1 Attack

I am running snort -1.9.0 and it has oversite over a network of both MAC
and  Windows machines.  I am  recieving a very large number of detects on
the icmp large packets rule more from inside my net than out.  Does any one
know if the large ICMP packets are a trait of the MAC os 10.

Also recently I have been recieving detects as follows:

**115:5:1 (spp_ans1) ASN.1 Attacks: Datum length Packet Length **
11/05-01:50:56.340619 142.167.70.156 4251 > 208.209.130.2 161 UDP TTL:114
TOS )x28 ID 20774 IPlen:20 Dgmlen 265.

I checked and the ASN1 preprocessor is still experimental.  however, I
received thousands of detects each second and after three hours the
snort alert log grew from 0 to 2,147,483,647 in size.   The snort box
has crashed several times and indicates it is due to the packets exceeding
an authorized length.  I have shut the preprocessor  off and blocked the IP
addresses sending the traffic.  Can any one explain what the traffic may be.

Thanks for any input

Bob Young

-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

icmp large packets & ASN.1 Attack Robert Young (Nov 06)
- Re: icmp large packets & ASN.1 Attack Robby Desmond (Nov 07)
- <Possible follow-ups>
- RE: icmp large packets & ASN.1 Attack Grime, Richard S (Nov 07)