[Snort-users] Idea for a Denial of Service against Snort

chris koontz ckoontz at ...131...
Fri Jul 21 20:51:26 EDT 2000

A solution "fix" to this "attack hiding" might be to
have a shadow sensor set up on the same wire as the
snort box... so that you will have a header trail to
work with.. 

just a thought,
--- "Andrew R. Baker" <andrewb at ...2...> wrote:
> Andrea Barisani wrote:
> > Well I don't know if the IDS is going to fault
> with an attack like this,
> > maybe not, I agree with you that the problem could
> be only with the loggin
> > program (such syslog) but however if I want to
> crash snort I think that
> > trigging all the rules again and again could be
> far more difficult to
> > handle that targeting a single rule...
> > 
> > These are only suggestion, maybe I'm completely
> wrong...after all that's
> > why I'm posting this on the list ;-)
> While this type of attack against an IDS may not
> crash the IDS, it can
> still 
> be useful in hiding a legitimate attack.  By
> crafting packets
> specifically
> designed to trigger alerts, you can create a lot of
> noise.  It will be
> very
> difficult to find the one legitimate attack in a set
> of 10000 bogus
> attacks.
> In this case, you want to trigger as many different
> rules as possible,
> not to 
> bog down the IDS, but to make it more difficult to
> find the real attack.
> -Andrew
> P.S.  It would be an interesting tool, but I have no
> plans on writing it
> ;)
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net

---------------ckoontz at ...132...
The above text is a natural product.  Slight variations
in spelling and grammar enhance its individual character
& beauty and in no way are to be considered flaws or defects.  

Do You Yahoo!?
Get Yahoo! Mail – Free email you can access from anywhere!

More information about the Snort-users mailing list