[Snort-users] Snort Rules for LOKI Daemon

twig les twigles at ...131...
Wed Jan 22 13:34:03 EST 2003


Didn't classic loki use something stupid in the packet
that gave it away?  I believe it was the same sequence
number for every packet.  The reason I bring this up
is I am curious as to how you know what triggers an
alert in Cisco IDS.  I thought the signatures were
off-limits...am I wrong?


--- Matt Kettler <mkettler at ...4108...> wrote:
> Well, a detection using this method would have to be
> a snort preprocessor. 
> A simple snort rule cannot be stateful, thus can't
> compare the number of 
> echo replies with the number of echo requests...
> 
> Of course, if there's something significant in the
> data contents of the 
> echo reply packets themselves, then a simple snort
> rule would work great.
> 
> At 02:38 PM 1/22/2003 +0000, kevin reynolds wrote:
> >What rules, if any, does snort use to detect the
> lokid?  If there the 
> >default rule set does not include one, does anyone
> have a custom rule?
> >Cisco IDS fires the lokid signature when it sees
> more incoming echo replys 
> >than outbound echo requests.  This rule depends on
> the foreign host 
> >sending more echo replies to the local host than
> the local host has sent 
> >echo requests to it.  With this logic, you could
> assume that you will see 
> >less than half of all possible loki intrusions. 
> Thanks.
> >
> >Kevin
> 
> 
> 
>
-------------------------------------------------------
> This SF.net email is sponsored by: Scholarships for
> Techies!
> Can't afford IT training? All 2003 ictp students
> receive scholarships.
> Get hands-on training in Microsoft, Cisco, Sun,
> Linux/UNIX, and more.
> www.ictp.com/training/sourceforge.asp
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com




More information about the Snort-users mailing list