Re: [Snort-users] (spp_asn1) ASN.1 spec violation, possible overflow

From: Erek Adams <erek(at)snort.org>
Date: Fri Mar 07 2003 - 11:58:33 EST

On Wed, 5 Mar 2003, Maynard, Jeff S. wrote:

> Can someone tell me what this alert means. I cannot find any reference to

It means that the ASN preprocessor fired an alert. For more indepth info look at the code for spp_asn1.c in the <snortdir>/src/preprocessors/ directory. There's about 60-70 lines of comments at the top that explain what it is, and what it's attempting.

Short answer: Something didn't match the ASN.1 specifciation. Some section of the data was longer than the spec allows. 1001 bytes where it should only be 1000 or something like that.

Cheers!

---

Erek Adams

   "When things get weird, the weird turn pro." H.S. Thompson

---

This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com

---

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Fri Mar 7 12:44:22 2003