[Snort-sigs] RING signature - questions from a novice sig writer

pbsarnac at ...427... pbsarnac at ...427...
Mon Apr 22 17:55:05 EDT 2002

This signature will actually alert on every successful TCP connection to
your network and log the next 10 packets from that host. Pretty hight false
positive rate if you have any internet exposed servers. I think the
functionality you're looking for is actually provided by the portscan
preprocessor. See:

|         |           David Bellizzi             |
|         |           <dbelliz at ...549...>       |
|         |           Sent by:                   |
|         |           snort-sigs-admin at ...551...|
|         |           ceforge.net                |
|         |                                      |
|         |                                      |
|         |           04/22/2002 06:35 PM        |
|         |                                      |
  |                                                                                                                      |
  |       To:       snort-sigs at lists.sourceforge.net                                                                     |
  |       cc:                                                                                                            |
  |       Subject:  [Snort-sigs] RING signature - questions from a novice sig writer                                     |

My apologies if this has been gone over before. Has anyone developed a
signature for the RING OS fingerprinting tool?  After reading the docs I
have cobbled together something but I am unsure if I am doing things right,

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible RING
Scan";flags:SA; classtype:attempted-recon; tag: host, 10, packets, dest;)


P.S. Here is the relase info on RING.

Carefully studying the way TCP works, especially some timer value
inside the TCP stack, we have derived on a new technique for remote OS
detection, based on temporal response analysis.

The idea is quite simple: send a TCP SYN packet to an open port on a
remote system, and listen the different answers (usually successive
SYN/ACK packets). By measuring the number of response, the delay
between retries, and the optional presence of a "RST" packet after a
few answers, we can easily recognize some operating systems.
The nice thing is that it only required to send one packet on an open
TCP port, which make this method really quiet.

As a proof of concept, we also developed a standalone tool "RING"
that will perform these testings and identifications, using a signature

A patch for Nmap-2.54BETA32 is being prepared and should be released
anytime soon
At the moment, ring and nmap OS fingerprinting methods are launched
but results aren't merged for better accuracy.
If you want to try this patch, please send me an
email(ring at ...550...).

More information is available at:

The open source tool can be downloaded from:

The open source tool for Linux2.4 kernel can be downloaded from:

The full, 13 pages, white paper is available at:

We will be very happy to get your feedback on this technique.
Feel free to contact us at: ring at ...550...


Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list