[Snort-users] Snort Rules for LOKI Daemon

Andreas Östling andreaso at ...236...
Thu Jan 23 02:04:02 EST 2003


On Wednesday 22 January 2003 22.22, Matt Kettler wrote:
> Well, a detection using this method would have to be a snort preprocessor.
> A simple snort rule cannot be stateful, thus can't compare the number of
> echo replies with the number of echo requests...

I once began writing a preprocessor that does this and a few other things.
It was never finished and you probably don't want to run it in production 
environment. If anyone wants to continue working on it, just go ahead.
I think there are some old snapshots on http://nitzer.dhs.org/spp_sicmple/

/Andreas





More information about the Snort-users mailing list