Snort mailing list archives
Re: Snort Rules for LOKI Daemon
From: "kevin reynolds" <kevinreynolds2525 () hotmail com>
Date: Thu, 23 Jan 2003 14:02:04 +0000
I believe you are correct in that classic loki does have a dead give away. Cisco actually has two signatures for loki, "loki icmp tunneling" and "General loki icmp tunneling". While Cisco does not provide the actual signatures (dumb), they do provide a "Network Security DataBase (NSDB)" which provides some explanation of the signatures. Some descriptions are better than others, but for loki icmp tunneling, Cisco claims that it protects against the version of loki released with phrack issue 51. General loki icmp tunneling just looks for an imbalance of icmp echo replies to echo requests.
Neither of these seem to be very effective for detecting a modified version of loki, which exist in great numbers. After researching loki, it is very easy to find versions that remove the "dead give away" and encrypt the payloads.
What makes this exploit so significant is that even the most restrictive firewall configurations will still allow inbound icmp echo replies and outbound echo requests. They disable inbound echo requests to prevent an external ip from pinging your network, but anyone could send an unsolicited icmp echo reply. Even stateful firewalls will allow unsolicited icmp echo replies. The one mitigating factor is this exploit first requires some type of root compromise of the victim. But once a compromise occurs, a modified loki daemon could be installed and an attacker may have undetectable root access to the machine.
Kevin
From: twig les <twigles () yahoo com>To: Matt Kettler <mkettler () evi-inc com>, kevin reynolds <kevinreynolds2525 () hotmail com>, snort-users () lists sourceforge netSubject: Re: [Snort-users] Snort Rules for LOKI Daemon Date: Wed, 22 Jan 2003 13:33:01 -0800 (PST) Didn't classic loki use something stupid in the packet that gave it away? I believe it was the same sequence number for every packet. The reason I bring this up is I am curious as to how you know what triggers an alert in Cisco IDS. I thought the signatures were off-limits...am I wrong? --- Matt Kettler <mkettler () evi-inc com> wrote: > Well, a detection using this method would have to be > a snort preprocessor. > A simple snort rule cannot be stateful, thus can't > compare the number of > echo replies with the number of echo requests... > > Of course, if there's something significant in the > data contents of the > echo reply packets themselves, then a simple snort > rule would work great. > > At 02:38 PM 1/22/2003 +0000, kevin reynolds wrote: > >What rules, if any, does snort use to detect the > lokid? If there the > >default rule set does not include one, does anyone > have a custom rule? > >Cisco IDS fires the lokid signature when it sees > more incoming echo replies > >than outbound echo requests. This rule depends on > the foreign host > >sending more echo replies to the local host than > the local host has sent > >echo requests to it. With this logic, you could > assume that you will see > >less than half of all possible loki intrusions. > Thanks. > > > >Kevin > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Scholarships for > Techies! > Can't afford IT training? All 2003 ictp students > receive scholarships. > Get hands-on training in Microsoft, Cisco, Sun, > Linux/UNIX, and more. > www.ictp.com/training/sourceforge.asp > _______________________________________________ > Snort-users mailing list > Snort-users () lists sourceforge net > Go to this URL to change user options or > unsubscribe: > https://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
_________________________________________________________________Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Rules for LOKI Daemon kevin reynolds (Jan 22)
- Re: Snort Rules for LOKI Daemon Matt Kettler (Jan 22)
- Re: Snort Rules for LOKI Daemon twig les (Jan 22)
- Re: Snort Rules for LOKI Daemon Andreas Östling (Jan 23)
- <Possible follow-ups>
- Re: Snort Rules for LOKI Daemon kevin reynolds (Jan 23)
- Re: Snort Rules for LOKI Daemon Matt Kettler (Jan 22)