[Snort-devel] bug in ASN.1 Plugin ?

Russell Fulton r.fulton at ...1343...
Mon Apr 29 22:27:03 EDT 2002


System Architecture (Sparc, x86, etc) : x86 
Operating System and version (Linux 2.0.22, IRIX 5.3, etc) 
Linux ruru 2.4.16-itss1 #2 Fri Dec 21 23:13:25 NZDT 2001 i686 unknown
What rules (if any) you were using
 rules in snortrules-current.tar.gz Mon Apr 29 23:32:46 2002
What command line switches you were using
snort -A fast -b -c rules.130.216.0.0 -D -e -h 130.216.0.0/16 -i eth1 -l
/home/snort...

I installed the snort-daily.tar.gz  Mon Apr 29 23:32:45 2002.
In the first half hour I got over 9000 alerts like this:

[**] ASN.1 Attack: Datum length > packet length [**]
04/30-03:41:41.313832 0:E0:1E:8E:31:71 -> 0:0:C:46:5C:D1 type:0x800
len:0x5D
130.216.191.17:41669 -> 130.216.1.253:161 UDP TTL:253 TOS:0x0 ID:31701
IpLen:20 DgmLen:79 DF
Len: 59
30 82 00 2F 02 01 00 04 06 70 75 62 6C 69 63 A0  0../.....public.
82 00 20 02 04 63 0E 33 72 02 01 00 02 01 00 30  .. ..c.3r......0
82 00 10 30 82 00 0C 06 08 2B 06 01 02 01 01 03  ...0.....+......
00 05 00                                         ...

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] ASN.1 Attack: Datum length > packet length [**]
04/30-03:41:41.322036 0:E0:1E:8E:31:71 -> 0:0:C:46:5C:D1 type:0x800
len:0x5D
130.216.191.17:41669 -> 130.216.1.253:161 UDP TTL:253 TOS:0x0 ID:31702
IpLen:20 DgmLen:79 DF
Len: 59
30 82 00 2F 02 01 00 04 06 70 75 62 6C 69 63 A0  0../.....public.
82 00 20 02 04 63 0E 33 72 02 01 00 02 01 00 30  .. ..c.3r......0
82 00 10 30 82 00 0C 06 08 2B 06 01 02 01 01 03  ...0.....+......
00 05 00                                         ...

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] ASN.1 Attack: Datum length > packet length [**]
04/30-03:41:42.322184 0:E0:1E:8E:31:71 -> 0:0:C:46:5C:D1 type:0x800
len:0x5D
130.216.191.17:41669 -> 130.216.1.253:161 UDP TTL:253 TOS:0x0 ID:31703
IpLen:20 DgmLen:79 DF
Len: 59
30 82 00 2F 02 01 00 04 06 70 75 62 6C 69 63 A0  0../.....public.
82 00 20 02 04 63 0E 33 72 02 01 00 02 01 00 30  .. ..c.3r......0
82 00 10 30 82 00 0C 06 08 2B 06 01 02 01 01 03  ...0.....+......
00 05 00                                         ...

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] ASN.1 Attack: Datum length > packet length [**]
04/30-03:41:43.322322 0:E0:1E:8E:31:71 -> 0:0:C:46:5C:D1 type:0x800
len:0x5D
130.216.191.17:41669 -> 130.216.1.253:161 UDP TTL:253 TOS:0x0 ID:31704
IpLen:20 DgmLen:79 DF
Len: 59
30 82 00 2F 02 01 00 04 06 70 75 62 6C 69 63 A0  0../.....public.
82 00 20 02 04 63 0E 33 72 02 01 00 02 01 00 30  .. ..c.3r......0
82 00 10 30 82 00 0C 06 08 2B 06 01 02 01 01 03  ...0.....+......
00 05 00                                         ...



More information about the Snort-devel mailing list