[Snort-users] Idea for a Denial of Service against Snort
Erich.Meier at ...99...
Tue Jul 25 04:02:51 EDT 2000
On Mon, Jul 24, 2000 at 02:41:09PM -0400, Mullen, Patrick wrote:
> Denial of service against a NIDS through the logging facility
> (as opposed to alert flooding) only requires a single alert,
> repeated over and over. This single alert is the worst-case
> thread, and of course requires that worse-case scenario to be
> set as an alert. This also depends on the machine being slow
> enough to not be able to the traffic and the bandwidth being
> high enough to generate enough traffic.
> On that note, has anyone run performance statistics on snort?
> I know someone ran Purify so we know (at the time ;) snort
> was good about memory management, but what about cycles
> consumed per thread? What is the longest amount of code
> needed to generate an alert on a rule? How long does it
> take to determine a false match on any given rule?
Can Purify find thoses issues? I am not sure.
But I'd guess, that not the alert code path length is the problem.
All monitoring apps that I came across so far have been more susceptible to
I/O-hogging that to CPU-hogging.
- filling I/O channels (syscalls, bus systems)
- swamping logfiles
- swamping network logging (syslog)
So I have always been a fan of raw logging (no decoding, no pretty printing)
in the NIDS and post-processing afterwards with another app when you have
time, CPU and I/O available.
This also fits better into the "small is beautiful" approach.
Have a look at "argus", they seem to follow this principle in an admirable way.
BTW: snort and argus seems to be some kind of "dream team" for me. Snort does
the ID and argus does traffic dumping for forensic analysis after an attack.
Unfortunately, I couldn't combine those two apps on a single machine, yet.
> The ideal candidate, if able to DoS through alerting, or
> even just because the machine is slow, is to hit a rule
> at the end of a ruleset that takes a lot of time to
> complete processing.
> Of course, just because a rule is at the end of a rules
> file in snort doesn't mean it's in the longest list.
0.02 Euro from
More information about the Snort-users