[Snort-sigs] thousands of false positive alerts: spp_asn1: ASN.1 Attack: Datum length > packet length

Roman Varga roman at ...1192...
Tue Jan 21 22:02:04 EST 2003


	Hello ;>

Snort suddenly reports a huge amount (round 200000) of alerts in just 2 
seconds. It happend already 2 times during last 2 days only while 
testing on our local network. Which makes our DB server (mysql) a little 
bit out of work. Approaching alerts via ACID interface is also nearly 
impossible.

reported msg is:
spp_asn1: ASN.1 Attack: Datum length > packet length

questions:
1.) how can I solve this problem?

2.) is there a mechanism to limit number of reports of one rule per 
second/minute (for example to 300)?

3.) how can I disable this specific one rule, which cause me troubles 
(as its not just a rule...it somhow uses gen-msg table...)?

thanks in advance
Roman Varga





More information about the Snort-sigs mailing list