[Snort-devel] Bug in asn1 preprocessor

peleus peleus at ...1667...
Tue Nov 12 13:09:04 EST 2002


        I am running snort 1.9.0 with unified logging and the ASN1
preprocessor on a Linux 2.4 machine.  I am running into a problem where
the asn preprocessor is entering into an infinite loop writing the
following log to snort.alert:

11/10/02-06:37:00.788258  [**] [115:5:1] spp_asn1: ASN.1 Attack: Datum
length > packet length [**] [Classification: Not Suspicious Traffic]
[Priority: 5] {UDP} ###.##.#.###:### -> ###.###.###.##:###

        I replaced the internal IP with pound signs so as not to have our
internal network permanently saved on the net.  The time stamp down to the
millisecond does not change in any of the entries.  It is the same entry
being written over and over in snort.alert until the disk runs out of
space.  The packet only gets written to snort.log once.  I was looking at
the source code in spp_asn1.c and noticed that the following section in
ASN1Decode does not contain a "return" call.  Could this be the source of
the bug or is this intentional?

thanks,
  Peleus

beginning line 205
            if((length + i) > size)
            {
                SetEvent(&event, GENERATOR_SPP_ASN1,
ASN1_DATUM_BAD_LENGTH,
                        1, 0, 5, 0);

                CallAlertFuncs(p,ASN1_DATUM_BAD_LENGTH_STR, NULL, &event);

                CallLogFuncs(p,  ASN1_DATUM_BAD_LENGTH_STR, NULL, &event);
            }







More information about the Snort-devel mailing list