[Snort-users] Idea for a Denial of Service against Snort
twhipp at ...63...
Thu Jul 20 07:02:33 EDT 2000
> > having read the basic architecture paper I'm not sure what you are
> > for - as far as I can see any individual packet can only be matched once
> > the rules base and so the best you could do is determine the rules
> > down the furthest chain header and use that.
> Yes, that's right, what I'm proposing is sending one (or more) packet for
> each different rule in the rules-file in order to trigger all the alerts..
What I don't understand is why you want to tigger all the alerts - surely
processing some of these would be more time consuming than others. I can
understand that a wide range of alerts would be morelikely to overload a
system such as swatch but if your trying to DOS the IDS itself then I'd have
thought single rules would be the target.
More information about the Snort-users