[Snort-users] Snort Rules for LOKI Daemon

kevin reynolds kevinreynolds2525 at ...125...
Wed Jan 22 06:39:08 EST 2003


What rules, if any, does snort use to detect the lokid?  If there the 
default rule set does not include one, does anyone have a custom rule?  
Cisco IDS fires the lokid signature when it sees more incoming echo replys 
than outbound echo requests.  This rule depends on the foreign host sending 
more echo replies to the local host than the local host has sent echo 
requests to it.  With this logic, you could assume that you will see less 
than half of all possible loki intrusions.  Thanks.

Kevin



_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8. 
http://join.msn.com/?page=features/junkmail





More information about the Snort-users mailing list