[Snort-users] Repeated Alert since upgrading to 1.9

Eric Joe sysop at ...6291...
Thu Oct 17 07:23:06 EDT 2002


Since I started using Snort 1.9.0, I get a massive amount of these alerts.
In fact it makes the /var/log/snort/alert file grow to 2.0G within hours
at which time Snort (of course) dies.
Pardon my lack of knowledge, but what the heck is this alert?

The 2 machines involved are a Windows XP PC (source) and a Win2k PC
(destination) . I realize these are SNMP port numbers, but can someone
explain the alert to me?
I can easily disable SNMP on the offending machine, but I would like to
learn from this.


[**] [115:5:1] (spp_asn1) ASN.1 Attack: Datum length > packet length [**]
10/17-09:35:58.137563 192.168.1.201:161 -> 192.168.1.8:162
UDP TTL:64 TOS:0x0 ID:51264 IpLen:20 DgmLen:211
Len: 191



Thanks in advance

-- 
Eric Joe
Network Operations
Journey's End Internet/Computer Connection Inc






More information about the Snort-users mailing list