[Snort-sigs] thousands of false positive alerts: spp_asn1: ASN.1 Attack: Datum length > packet length
roman at ...1192...
Tue Jan 21 22:02:04 EST 2003
Snort suddenly reports a huge amount (round 200000) of alerts in just 2
seconds. It happend already 2 times during last 2 days only while
testing on our local network. Which makes our DB server (mysql) a little
bit out of work. Approaching alerts via ACID interface is also nearly
reported msg is:
spp_asn1: ASN.1 Attack: Datum length > packet length
1.) how can I solve this problem?
2.) is there a mechanism to limit number of reports of one rule per
second/minute (for example to 300)?
3.) how can I disable this specific one rule, which cause me troubles
(as its not just a rule...it somhow uses gen-msg table...)?
thanks in advance
More information about the Snort-sigs