[Snort-users] Snort Rules for LOKI Daemon
mkettler at ...4108...
Wed Jan 22 13:21:05 EST 2003
Well, a detection using this method would have to be a snort preprocessor.
A simple snort rule cannot be stateful, thus can't compare the number of
echo replies with the number of echo requests...
Of course, if there's something significant in the data contents of the
echo reply packets themselves, then a simple snort rule would work great.
At 02:38 PM 1/22/2003 +0000, kevin reynolds wrote:
>What rules, if any, does snort use to detect the lokid? If there the
>default rule set does not include one, does anyone have a custom rule?
>Cisco IDS fires the lokid signature when it sees more incoming echo replys
>than outbound echo requests. This rule depends on the foreign host
>sending more echo replies to the local host than the local host has sent
>echo requests to it. With this logic, you could assume that you will see
>less than half of all possible loki intrusions. Thanks.
More information about the Snort-users