The asn1 rule option adds ASN.1 detection functions on a per-rule basis, and it is used to decode and detect ASN.1 types, lengths, and data.

There are three detection functions that can be used in asn1:

  • bitstring_overflow -> detects invalid bitstring encodings that are known to be remotely exploitable
  • double_overflow -> detects a double ASCII encoding that is larger than a standard buffer
  • oversize_length -> compares ASN.1 type lengths with the supplied argument

Only the oversize_length function has a required argument, and that is an integer value to compare the ASN.1 type lengths against.

Users can also specify one of two offset arguments to tell Snort where to evaluate the asn1 option within the packet: absolute_offset offset and relative_offset offset. The absolute_offset argument tells Snort to look at a location relative to the beginning of the packet, whereas relative_offset tells Snort to look at a location relative to the current cursor location.

Multiple functions can be used in a single asn1 option, and the results of each operation are ORed together—so if any of the arguments evaluate to true, the whole option evaluates to true.


asn1:{bitstring_overflow|double_overflow|oversize_length length} \
     [, {bitstring_overflow|double_overflow|oversize_length length}]… \
     [, {absolute_offset|relative_offset} offset];

Valid integer values for each of the relevant arguments are:

  • oversize_length: 0:4294967295
  • absolute_offset: 0:65535
  • relative_offset: -65535:65535


asn1:oversize_length 10000, absolute_offset 0;
asn1:bitstring_overflow, double_overflow, relative_offset 7;
asn1:bitstring_overflow, double_overflow, oversize_length 499, relative_offset 7;