[Snort-sigs] RING signature - questions from a novice sig writer

Andreas Östling andreaso at ...58...
Tue Apr 23 04:37:02 EDT 2002


On Tuesday 23 April 2002 01.35, David Bellizzi wrote:

> My apologies if this has been gone over before. Has anyone developed a
> signature for the RING OS fingerprinting tool?  After reading the docs I
> have cobbled together something but I am unsure if I am doing things right,

Since RING is based on measuring the time between normal response packets, 
there isn't really any signature to watch for (unless this particular tool 
hardcodes some values when building the TCP packets, I've not checked). 
Your rule would probably catch RING responses, but it would also catch all 
other response packets as well (which means hundreds or thousands of 
alerts/second for some people...).

IMHO, a signature-based NIDS is not the best tool for the job in this case.
I'd rather use a network flow monitoring tool such as Argus 
(http://www.qosient.com/argus/index.htm) where these things are normally easy 
to detect.

/Andreas




More information about the Snort-sigs mailing list