[Snort-users] Idea for a Denial of Service against Snort

Tom Whipp twhipp at ...63...
Thu Jul 20 07:02:33 EDT 2000

> > having read the basic architecture paper I'm not sure what you are
> > for - as far as I can see any individual packet can only be matched once
> > the rules base and so the best you could do is determine the rules
> > down the furthest chain header and use that.
> Yes, that's right, what I'm proposing is sending one (or more) packet for
> each different rule in the rules-file in order to trigger all the alerts..

What I don't understand is why you want to tigger all the alerts - surely
processing some of these would be more time consuming than others.  I can
understand that a wide range of alerts would be morelikely to overload a
system such as swatch but if your trying to DOS the IDS itself then I'd have
thought single rules would be the target.


More information about the Snort-users mailing list