Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DOS in Snort?

From: Shane Williams <shanew () shanew net>
Date: Fri, 21 Feb 2003 17:34:11 -0600 (CST)
On Fri, 21 Feb 2003, Erick Mechler wrote:


:: Overall it took about 30 minuets to clear up everything. This is
:: an OS issue and not a snort issue right? Is there a way to limit the
:: number of alerts? Couldn't any snort box not logging to a
:: database be susceptible to a DOS in this manner?

The only way this could be used in a DoS against a snort sensor is if you 
have neglected to properly partition your disks, and you manage to fill up 
an important filesystem on your sensor.  For instance, if you fill up /, 
some OS's might have a problem with that.  Additionally, you can bring a 
Solaris system to its knees if you fill up /tmp.


I think what Chris meant was that it could be used to DoS snort
itself, not necessarily the sensor running snort (In either case, your
IDS is out of commision).  In this, Chris is right, though I don't see
how logging to a database would prevent that since the database could
grow similarly large until it's full (full meaning different things
depending on your DB).

My own solution to a similar problem (logging full network traffic via
tcpdump filling up drives), was to write a script that monitors disk
usage and deletes older files at a certain threshold percentage.

Also, in situations where there are "too many arguments" for a command
like rm, xargs is a good (if somewhat time consuming) solution (or find
if you need to delete by certain parameters, but it would go even
slower).  A command line like "ls | xargs rm -f" would delete however
many files with a single command.

-- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |      System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew () shanew net
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew




-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: