Snort mailing list archives
Re: Snort Rules for LOKI Daemon
From: twig les <twigles () yahoo com>
Date: Wed, 22 Jan 2003 13:33:01 -0800 (PST)
Didn't classic loki use something stupid in the packet that gave it away? I believe it was the same sequence number for every packet. The reason I bring this up is I am curious as to how you know what triggers an alert in Cisco IDS. I thought the signatures were off-limits...am I wrong? --- Matt Kettler <mkettler () evi-inc com> wrote:
Well, a detection using this method would have to be a snort preprocessor. A simple snort rule cannot be stateful, thus can't compare the number of echo replies with the number of echo requests... Of course, if there's something significant in the data contents of the echo reply packets themselves, then a simple snort rule would work great. At 02:38 PM 1/22/2003 +0000, kevin reynolds wrote:What rules, if any, does snort use to detect thelokid? If there thedefault rule set does not include one, does anyonehave a custom rule?Cisco IDS fires the lokid signature when it seesmore incoming echo replysthan outbound echo requests. This rule depends onthe foreign hostsending more echo replies to the local host thanthe local host has sentecho requests to it. With this logic, you couldassume that you will seeless than half of all possible loki intrusions.Thanks.Kevin
-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Rules for LOKI Daemon kevin reynolds (Jan 22)
- Re: Snort Rules for LOKI Daemon Matt Kettler (Jan 22)
- Re: Snort Rules for LOKI Daemon twig les (Jan 22)
- Re: Snort Rules for LOKI Daemon Andreas Östling (Jan 23)
- <Possible follow-ups>
- Re: Snort Rules for LOKI Daemon kevin reynolds (Jan 23)
- Re: Snort Rules for LOKI Daemon Matt Kettler (Jan 22)