[Snort-users] Idea for a Denial of Service against Snort

Andrea Barisani lcars at ...96...
Thu Jul 20 06:51:20 EDT 2000

On Thu, 20 Jul 2000, Tom Whipp wrote:

> having read the basic architecture paper I'm not sure what you are looking
> for - as far as I can see any individual packet can only be matched once in
> the rules base and so the best you could do is determine the rules furthest
> down the furthest chain header and use that.

Yes, that's right, what I'm proposing is sending one (or more) packet for
each different rule in the rules-file in order to trigger all the alerts..

> However that does open up another interesting idea - can you perform a
> serious attack but hide it under a trivial attack signature so that snort
> flags it as something minor such as a port probe?

That is a common problem in IDS, I can strike my attack and surround it by
a lot of false alarms that would eventually make more complex the
recognition of the real malicious packets...

There is a nice paper about that on SecurityFocus, is called

Insertion, Evasion, and Denial of Service: Eluding Network Intrusion

> just random musings.
> 	Tom


INFIS Network Administrator & Security Officer
Department of Physics       - University of Trieste
lcars at ...96... - PGP Key 0x8E21FE82
"How would you know I'm mad?" said Alice.
"You must be,'said the Cat,'or you wouldn't have come here."

More information about the Snort-users mailing list