[Snort-users] Idea for a Denial of Service against Snort

Tom Whipp twhipp at ...63...
Thu Jul 20 06:31:46 EDT 2000

having read the basic architecture paper I'm not sure what you are looking
for - as far as I can see any individual packet can only be matched once in
the rules base and so the best you could do is determine the rules furthest
down the furthest chain header and use that.

However that does open up another interesting idea - can you perform a
serious attack but hide it under a trivial attack signature so that snort
flags it as something minor such as a port probe?

just random musings.


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Andrea
Sent: 20 July 2000 10:56
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Idea for a Denial of Service against Snort


Recently I was thinking about a denial of service against machine that are
using snort and I came up with this strange idea.

If i create a set of scripts or a program that would read a snort rules
file and would flood some host with all the packets that matchs the
entries of that rules-file I can create a LOT of work for the logging
system of snort. I guess that flooding for just a minute could cause
several problems even on fast machines.
I have not yet test that, mainly because I haven't the time to build the
program but I wonder if there is someone who wants to try that.

Maybe could be useful an option in snort that limits the rate of events
logged per second...

What do you think?


INFIS Network Administrator & Security Officer
Department of Physics       - University of Trieste
lcars at ...96... - PGP Key 0x8E21FE82
"How would you know I'm mad?" said Alice.
"You must be,'said the Cat,'or you wouldn't have come here."

Snort-users mailing list
Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list