Re: Snort Rules for LOKI Daemon

[Matt Kettler <mkettler () evi-inc com>]

Well, a detection using this method would have to be a snort preprocessor. 
A simple snort rule cannot be stateful, thus can't compare the number of 
echo replies with the number of echo requests...

Of course, if there's something significant in the data contents of the 
echo reply packets themselves, then a simple snort rule would work great.

At 02:38 PM 1/22/2003 +0000, kevin reynolds wrote:
> What rules, if any, does snort use to detect the lokid?  If there the 
> default rule set does not include one, does anyone have a custom rule?
> Cisco IDS fires the lokid signature when it sees more incoming echo replys 
> than outbound echo requests.  This rule depends on the foreign host 
> sending more echo replies to the local host than the local host has sent 
> echo requests to it.  With this logic, you could assume that you will see 
> less than half of all possible loki intrusions.  Thanks.
>
> Kevin



-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users