[Snort-users] Idea for a Denial of Service against Snort

Erich Meier Erich.Meier at ...99...
Tue Jul 25 04:02:51 EDT 2000


On Mon, Jul 24, 2000 at 02:41:09PM -0400, Mullen, Patrick wrote:
> Denial of service against a NIDS through the logging facility
> (as opposed to alert flooding) only requires a single alert,
> repeated over and over.  This single alert is the worst-case
> thread, and of course requires that worse-case scenario to be
> set as an alert.  This also depends on the machine being slow
> enough to not be able to the traffic and the bandwidth being
> high enough to generate enough traffic.
> 
> On that note, has anyone run performance statistics on snort?
> I know someone ran Purify so we know (at the time ;) snort
> was good about memory management, but what about cycles
> consumed per thread?  What is the longest amount of code
> needed to generate an alert on a rule?  How long does it
> take to determine a false match on any given rule?

Can Purify find thoses issues? I am not sure.

But I'd guess, that not the alert code path length is the problem.
All monitoring apps that I came across so far have been more susceptible to
I/O-hogging that to CPU-hogging.

This includes
  - filling I/O channels (syscalls, bus systems)
  - swamping logfiles
  - swamping network logging (syslog)

So I have always been a fan of raw logging (no decoding, no pretty printing)
in the NIDS and post-processing afterwards with another app when you have
time, CPU and I/O available.

This also fits better into the "small is beautiful" approach.

Have a look at "argus", they seem to follow this principle in an admirable way.

BTW: snort and argus seems to be some kind of "dream team" for me. Snort does
the ID and argus does traffic dumping for forensic analysis after an attack.
Unfortunately, I couldn't combine those two apps on a single machine, yet.

> The ideal candidate, if able to DoS through alerting, or
> even just because the machine is slow, is to hit a rule
> at the end of a ruleset that takes a lot of time to
> complete processing.
> 
> Of course, just because a rule is at the end of a rules
> file in snort doesn't mean it's in the longest list.

See above.

0.02 Euro from
Erich




More information about the Snort-users mailing list