[Snort-users] Idea for a Denial of Service against Snort

Mullen, Patrick Patrick.Mullen at ...24...
Mon Jul 24 14:41:09 EDT 2000


Denial of service against a NIDS through the logging facility
(as opposed to alert flooding) only requires a single alert,
repeated over and over.  This single alert is the worst-case
thread, and of course requires that worse-case scenario to be
set as an alert.  This also depends on the machine being slow
enough to not be able to the traffic and the bandwidth being
high enough to generate enough traffic.

On that note, has anyone run performance statistics on snort?
I know someone ran Purify so we know (at the time ;) snort
was good about memory management, but what about cycles
consumed per thread?  What is the longest amount of code
needed to generate an alert on a rule?  How long does it
take to determine a false match on any given rule?

The ideal candidate, if able to DoS through alerting, or
even just because the machine is slow, is to hit a rule
at the end of a ruleset that takes a lot of time to
complete processing.

Of course, just because a rule is at the end of a rules
file in snort doesn't mean it's in the longest list.


~Patrick




More information about the Snort-users mailing list