[Snort-users] Snort Rules for LOKI Daemon

Matt Kettler mkettler at ...4108...
Wed Jan 22 13:21:05 EST 2003

Well, a detection using this method would have to be a snort preprocessor. 
A simple snort rule cannot be stateful, thus can't compare the number of 
echo replies with the number of echo requests...

Of course, if there's something significant in the data contents of the 
echo reply packets themselves, then a simple snort rule would work great.

At 02:38 PM 1/22/2003 +0000, kevin reynolds wrote:
>What rules, if any, does snort use to detect the lokid?  If there the 
>default rule set does not include one, does anyone have a custom rule?
>Cisco IDS fires the lokid signature when it sees more incoming echo replys 
>than outbound echo requests.  This rule depends on the foreign host 
>sending more echo replies to the local host than the local host has sent 
>echo requests to it.  With this logic, you could assume that you will see 
>less than half of all possible loki intrusions.  Thanks.

More information about the Snort-users mailing list