[Snort-devel] thousands of false positive alerts: spp_asn1: ASN.1 Attack: Datum length > packet length

Andrew R. Baker andrewb at ...835...
Tue Jan 7 06:39:04 EST 2003


Roman Varga wrote:
> 
>     Hello ;>
> 
> Snort suddenly reports a huge amount (round 200000) of alerts in just 2 
> seconds. It happend already 2 times during last 2 days only while 
> testing on our local network. Which makes our DB server (mysql) a little 
> bit out of work. Approaching alerts via ACID interface is also nearly 
> impossible.
> 
> reported msg is:
> spp_asn1: ASN.1 Attack: Datum length > packet length
> 
> questions:
> 1.) how can I solve this problem?
> 
> 2.) is there a mechanism to limit number of reports of one rule per 
> second/minute (for example to 300)?
> 
> 3.) how can I disable this specific one rule, which cause me troubles 
> (as its not just a rule...it somhow uses gen-msg table...)?

These alerts are generated by the experimental ASN.1 preprocessor.  To 
get rid of them, turn off the preprocessor.  Find the line:

preprocessor asn1_decode

and either delete it or add a '#' to the beginning of it.

-A





More information about the Snort-devel mailing list