I’ll put up a better link later when I find one, but a recent presentation and paper (I printed them out yesterday but have not read them yet) on a Snort algorithmic vulnerability has been talked about and patched. The vuln would cause Snort to spike the cpu to 100% and eventually crash. Why is this useful? This is a lot like someone cutting off the alarm systems before robbing a bank. You can even do this externally if a company has Snort running outside the firewall (not uncommon in order to determine differences across the perimeter defenses) and that same server is running the inside Snort instance. Since this is an easy but technical exploit, I suspect this to be packaged eventually into attack toolkits rather quietly. I would suspect old Snort instances may stay in production for years in some cases.