Snort mailing list archives
Re: Snort Rules for LOKI Daemon
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 22 Jan 2003 16:22:25 -0500
Well, a detection using this method would have to be a snort preprocessor. A simple snort rule cannot be stateful, thus can't compare the number of echo replies with the number of echo requests...
Of course, if there's something significant in the data contents of the echo reply packets themselves, then a simple snort rule would work great.
At 02:38 PM 1/22/2003 +0000, kevin reynolds wrote:
What rules, if any, does snort use to detect the lokid? If there the default rule set does not include one, does anyone have a custom rule? Cisco IDS fires the lokid signature when it sees more incoming echo replys than outbound echo requests. This rule depends on the foreign host sending more echo replies to the local host than the local host has sent echo requests to it. With this logic, you could assume that you will see less than half of all possible loki intrusions. Thanks.Kevin
------------------------------------------------------- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Rules for LOKI Daemon kevin reynolds (Jan 22)
- Re: Snort Rules for LOKI Daemon Matt Kettler (Jan 22)
- Re: Snort Rules for LOKI Daemon twig les (Jan 22)
- Re: Snort Rules for LOKI Daemon Andreas Östling (Jan 23)
- <Possible follow-ups>
- Re: Snort Rules for LOKI Daemon kevin reynolds (Jan 23)
- Re: Snort Rules for LOKI Daemon Matt Kettler (Jan 22)