[Snort-devel] Snort 1.9 cvs - ASN.1

Steve Rudolph srudolph at ...1213...
Thu Apr 25 13:15:51 EDT 2002


Snort Developers,
First I would like to thank all of you for your very hard work to make
us all more aware of our own networks.

Problem:  I have installed snort 1.9 from CVS.  It seems to be reporting
ASN.1 violations repeatedly from our SNMP management stations.
As such:
[**] [115:5:1] ASN.1 Attack: Datum length > packet length [**]
04/25-15:57:17.205833 abc.abc.155.48:53102 -> abc.abc.146.14:161
UDP TTL:253 TOS:0x0 ID:29338 IpLen:20 DgmLen:170 DF
Len: 150

[**] [115:5:1] ASN.1 Attack: Datum length > packet length [**]
04/25-15:57:17.205833 abc.abc.155.48:53102 -> abc.abc.146.14:161
UDP TTL:253 TOS:0x0 ID:29338 IpLen:20 DgmLen:170 DF
Len: 150

[**] [115:4:1] ASN.1 spec violation, possible overflow
 [**]
04/25-15:57:17.205833 abc.abc.155.48:53102 -> abc.abc.146.14:161
UDP TTL:253 TOS:0x0 ID:29338 IpLen:20 DgmLen:170 DF
Len: 150

[**] [115:5:1] ASN.1 Attack: Datum length > packet length [**]
04/25-15:57:17.275187 abc.abc.155.48:53101 -> abc.abc.131.3:161
UDP TTL:253 TOS:0x0 ID:28612 IpLen:20 DgmLen:168 DF
Len: 148

[**] [115:4:1] ASN.1 spec violation, possible overflow
 [**]
04/25-15:57:17.275187 abc.abc.155.48:53101 -> abc.abc.131.3:161
UDP TTL:253 TOS:0x0 ID:28612 IpLen:20 DgmLen:168 DF
Len: 148

[**] [115:5:1] ASN.1 Attack: Datum length > packet length [**]
04/25-15:57:17.304742 abc.abc.155.48:53101 -> abc.abc.131.3:161
UDP TTL:253 TOS:0x0 ID:28613 IpLen:20 DgmLen:168 DF
Len: 148

I find it strange that It is reporting only the machines polling SNMP?
Can anyone give me an Idea of what is up with this?
I can get you more information if needed.

Thanks for your help,
Steve
--
Steve Rudolph CCSA, CCSE
Network Security Engineer 
Internet Operations Center
Southfield, MI
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2037 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020425/4279b2d2/attachment.bin>


More information about the Snort-devel mailing list