[Snort-users] Idea for a Denial of Service against Snort

Andrew R. Baker andrewb at ...2...
Fri Jul 21 19:44:41 EDT 2000

Andrea Barisani wrote:
> Well I don't know if the IDS is going to fault with an attack like this,
> maybe not, I agree with you that the problem could be only with the loggin
> program (such syslog) but however if I want to crash snort I think that
> trigging all the rules again and again could be far more difficult to
> handle that targeting a single rule...
> These are only suggestion, maybe I'm completely wrong...after all that's
> why I'm posting this on the list ;-)

While this type of attack against an IDS may not crash the IDS, it can
be useful in hiding a legitimate attack.  By crafting packets
designed to trigger alerts, you can create a lot of noise.  It will be
difficult to find the one legitimate attack in a set of 10000 bogus
In this case, you want to trigger as many different rules as possible,
not to 
bog down the IDS, but to make it more difficult to find the real attack.


P.S.  It would be an interesting tool, but I have no plans on writing it

More information about the Snort-users mailing list