[Snort-users] Idea for a Denial of Service against Snort

Andrew R. Baker andrewb at ...2...
Fri Jul 21 19:44:41 EDT 2000


Andrea Barisani wrote:
> Well I don't know if the IDS is going to fault with an attack like this,
> maybe not, I agree with you that the problem could be only with the loggin
> program (such syslog) but however if I want to crash snort I think that
> trigging all the rules again and again could be far more difficult to
> handle that targeting a single rule...
> 
> These are only suggestion, maybe I'm completely wrong...after all that's
> why I'm posting this on the list ;-)

While this type of attack against an IDS may not crash the IDS, it can
still 
be useful in hiding a legitimate attack.  By crafting packets
specifically
designed to trigger alerts, you can create a lot of noise.  It will be
very
difficult to find the one legitimate attack in a set of 10000 bogus
attacks.
In this case, you want to trigger as many different rules as possible,
not to 
bog down the IDS, but to make it more difficult to find the real attack.

-Andrew

P.S.  It would be an interesting tool, but I have no plans on writing it
;)




More information about the Snort-users mailing list