[Snort-sigs] RING signature - questions from a novice sig writer
dbelliz at ...553...
Tue Apr 23 08:52:05 EDT 2002
I'll check it out. I have much to learn in this area.
Andreas Östling wrote:
> From: Andreas Östling <andreaso at ...58...>
> To: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] RING signature - questions from a novice sig
> Date: Tue, 23 Apr 2002 13:36:19 +0200
> On Tuesday 23 April 2002 01.35, David Bellizzi wrote:
>> My apologies if this has been gone over before. Has anyone developed a
>> signature for the RING OS fingerprinting tool? After reading the docs I
>> have cobbled together something but I am unsure if I am doing things right,
> Since RING is based on measuring the time between normal response packets,
> there isn't really any signature to watch for (unless this particular tool
> hardcodes some values when building the TCP packets, I've not checked).
> Your rule would probably catch RING responses, but it would also catch all
> other response packets as well (which means hundreds or thousands of
> alerts/second for some people...).
> IMHO, a signature-based NIDS is not the best tool for the job in this case.
> I'd rather use a network flow monitoring tool such as Argus
> (http://www.qosient.com/argus/index.htm) where these things are
> normally easy
> to detect.
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs