[Snort-devel] thousands of false positive alerts: spp_asn1: ASN.1 Attack: Datum length > packet length
Andrew R. Baker
andrewb at ...835...
Tue Jan 7 06:39:04 EST 2003
Roman Varga wrote:
> Hello ;>
> Snort suddenly reports a huge amount (round 200000) of alerts in just 2
> seconds. It happend already 2 times during last 2 days only while
> testing on our local network. Which makes our DB server (mysql) a little
> bit out of work. Approaching alerts via ACID interface is also nearly
> reported msg is:
> spp_asn1: ASN.1 Attack: Datum length > packet length
> 1.) how can I solve this problem?
> 2.) is there a mechanism to limit number of reports of one rule per
> second/minute (for example to 300)?
> 3.) how can I disable this specific one rule, which cause me troubles
> (as its not just a rule...it somhow uses gen-msg table...)?
These alerts are generated by the experimental ASN.1 preprocessor. To
get rid of them, turn off the preprocessor. Find the line:
and either delete it or add a '#' to the beginning of it.
More information about the Snort-devel