Snort mailing list archives

Re: icmp large packets & ASN.1 Attack

From: Robby Desmond <rdesmond () els ucsb edu>
Date: Wed, 06 Nov 2002 14:21:23 -0800

At 02:18 PM 11/6/02 -0800, Robert Young wrote:

I am running snort -1.9.0 and it has oversite over a network of both
MAC  and  Windows machines.  I am  recieving a very large number of
detects on the icmp large packets rule more from inside my net than
out.  Does any one know if the large ICMP packets are a trait of the MAC
os 10.

Dunno about your ASN.1 problem, but everyone else keeps just saying tocomment it out.

As for the macs, I've noticed that OS X and even 8 or 9 would cause NMAPalerts to fire any time they connected to the Mac file sharing on our Win2kserver.


The G4s with OS X over here seem to be also causing these large-packet alerts.

I don't know why, but I can tell you it is normal behavior.

-Robby

Robert Desmond
Systems Administrator
UCSB Extended Learning Services
805-893-4906



-------------------------------------------------------

This sf.net email is sponsored by: See the NEW PalmTungsten T handheld. Power & Color in a compact size!

http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

icmp large packets & ASN.1 Attack Robert Young (Nov 06)
- Re: icmp large packets & ASN.1 Attack Robby Desmond (Nov 07)
- <Possible follow-ups>
- RE: icmp large packets & ASN.1 Attack Grime, Richard S (Nov 07)