[Snort-sigs] RING signature - questions from a novice sig writer
andreaso at ...58...
Tue Apr 23 04:37:02 EDT 2002
On Tuesday 23 April 2002 01.35, David Bellizzi wrote:
> My apologies if this has been gone over before. Has anyone developed a
> signature for the RING OS fingerprinting tool? After reading the docs I
> have cobbled together something but I am unsure if I am doing things right,
Since RING is based on measuring the time between normal response packets,
there isn't really any signature to watch for (unless this particular tool
hardcodes some values when building the TCP packets, I've not checked).
Your rule would probably catch RING responses, but it would also catch all
other response packets as well (which means hundreds or thousands of
alerts/second for some people...).
IMHO, a signature-based NIDS is not the best tool for the job in this case.
I'd rather use a network flow monitoring tool such as Argus
(http://www.qosient.com/argus/index.htm) where these things are normally easy
More information about the Snort-sigs