[Snort-users] Idea for a Denial of Service against Snort

Bill Marquette wlmarque at ...8...
Tue Jul 25 08:33:49 EDT 2000


From:     "Mullen, Patrick" <Patrick.Mullen at ...24...> on 07/24/2000 01:41 PM
>On that note, has anyone run performance statistics on snort?
>I know someone ran Purify so we know (at the time ;) snort
>was good about memory management, but what about cycles
>consumed per thread?  What is the longest amount of code
>needed to generate an alert on a rule?  How long does it
>take to determine a false match on any given rule?

On the same note.  What about a packet that needs to traverse multiple
preprocessors?  Fragmented HTTP requests might be evil enough to cause some
mayhem.  BTW, Marty...what order do the preprocessors load in?  Is it safe to
assume that the preprocessors load in config file order, so if spp_defrag was
first, followed by http_decode we'd get a fragmented HTTP packet traversing the
defrag code and then the http_decode code, and finally doing normal rule
traversal?

--Bill






More information about the Snort-users mailing list