[Snort-sigs] RING signature - questions from a novice sig writer

David Bellizzi dbelliz at ...553...
Tue Apr 23 08:52:05 EDT 2002


Thanks,
I'll check it out.  I have much to learn in this area.
db


Andreas Östling wrote:

> From: Andreas Östling <andreaso at ...58...>
> To: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] RING signature - questions from a novice sig 
> writer
> Date: Tue, 23 Apr 2002 13:36:19 +0200
> 
> 
> On Tuesday 23 April 2002 01.35, David Bellizzi wrote:
> 
>> My apologies if this has been gone over before. Has anyone developed a
>> signature for the RING OS fingerprinting tool?  After reading the docs I
>> have cobbled together something but I am unsure if I am doing things right,
> 
> Since RING is based on measuring the time between normal response packets,
> there isn't really any signature to watch for (unless this particular tool
> hardcodes some values when building the TCP packets, I've not checked).
> Your rule would probably catch RING responses, but it would also catch all
> other response packets as well (which means hundreds or thousands of
> alerts/second for some people...).
> 
> IMHO, a signature-based NIDS is not the best tool for the job in this case.
> I'd rather use a network flow monitoring tool such as Argus
> (http://www.qosient.com/argus/index.htm) where these things are 
> normally easy
> to detect.
> 
> /Andreas
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list