[Snort-users] Snort Rules for LOKI Daemon
kevinreynolds2525 at ...125...
Wed Jan 22 06:39:08 EST 2003
What rules, if any, does snort use to detect the lokid? If there the
default rule set does not include one, does anyone have a custom rule?
Cisco IDS fires the lokid signature when it sees more incoming echo replys
than outbound echo requests. This rule depends on the foreign host sending
more echo replies to the local host than the local host has sent echo
requests to it. With this logic, you could assume that you will see less
than half of all possible loki intrusions. Thanks.
Tired of spam? Get advanced junk mail protection with MSN 8.
More information about the Snort-users