Snort mailing list archives
Snort Rules for LOKI Daemon
From: "kevin reynolds" <kevinreynolds2525 () hotmail com>
Date: Wed, 22 Jan 2003 14:38:10 +0000
What rules, if any, does snort use to detect the lokid? If there the default rule set does not include one, does anyone have a custom rule? Cisco IDS fires the lokid signature when it sees more incoming echo replys than outbound echo requests. This rule depends on the foreign host sending more echo replies to the local host than the local host has sent echo requests to it. With this logic, you could assume that you will see less than half of all possible loki intrusions. Thanks.
Kevin _________________________________________________________________Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail
------------------------------------------------------- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Rules for LOKI Daemon kevin reynolds (Jan 22)
- Re: Snort Rules for LOKI Daemon Matt Kettler (Jan 22)
- Re: Snort Rules for LOKI Daemon twig les (Jan 22)
- Re: Snort Rules for LOKI Daemon Andreas Östling (Jan 23)
- <Possible follow-ups>
- Re: Snort Rules for LOKI Daemon kevin reynolds (Jan 23)
- Re: Snort Rules for LOKI Daemon Matt Kettler (Jan 22)