[Snort-users] Snort Rules for LOKI Daemon

kevin reynolds kevinreynolds2525 at ...125...
Thu Jan 23 06:03:02 EST 2003

I believe you are correct in that classic loki does have a dead give away.  
Cisco actually has two signatures for loki, "loki icmp tunneling" and 
"General loki icmp tunneling".  While Cisco does not provide the actual 
signatures (dumb), they do provide a "Network Security DataBase (NSDB)" 
which provides some explanation of the signatures.  Some descriptions are 
better than others, but for loki icmp tunneling, Cisco claims that it 
protects against the version of loki released with phrack issue 51.  General 
loki icmp tunneling just looks for an imbalance of icmp echo replies to echo 

Neither of these seem to be very effective for detecting a modified version 
of loki, which exist in great numbers.  After researching loki, it is very 
easy to find versions that remove the "dead give away" and encrypt the 

What makes this exploit so significant is that even the most restrictive 
firewall configurations will still allow inbound icmp echo replies and 
outbound echo requests.  They disable inbound echo requests to prevent an 
external ip from pinging your network, but anyone could send an unsolicited 
icmp echo reply.  Even stateful firewalls will allow unsolicited icmp echo 
replies.  The one mitigating factor is this exploit first requires some type 
of root compromise of the victim.  But once a compromise occurs, a modified 
loki daemon could be installed and an attacker may have undetectable root 
access to the machine.


>From: twig les <twigles at ...131...>
>To: Matt Kettler <mkettler at ...4108...>,  kevin reynolds 
><kevinreynolds2525 at ...125...>,  snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Snort Rules for LOKI Daemon
>Date: Wed, 22 Jan 2003 13:33:01 -0800 (PST)
>Didn't classic loki use something stupid in the packet
>that gave it away?  I believe it was the same sequence
>number for every packet.  The reason I bring this up
>is I am curious as to how you know what triggers an
>alert in Cisco IDS.  I thought the signatures were
>off-limits...am I wrong?
>--- Matt Kettler <mkettler at ...4108...> wrote:
> > Well, a detection using this method would have to be
> > a snort preprocessor.
> > A simple snort rule cannot be stateful, thus can't
> > compare the number of
> > echo replies with the number of echo requests...
> >
> > Of course, if there's something significant in the
> > data contents of the
> > echo reply packets themselves, then a simple snort
> > rule would work great.
> >
> > At 02:38 PM 1/22/2003 +0000, kevin reynolds wrote:
> > >What rules, if any, does snort use to detect the
> > lokid?  If there the
> > >default rule set does not include one, does anyone
> > have a custom rule?
> > >Cisco IDS fires the lokid signature when it sees
> > more incoming echo replies
> > >than outbound echo requests.  This rule depends on
> > the foreign host
> > >sending more echo replies to the local host than
> > the local host has sent
> > >echo requests to it.  With this logic, you could
> > assume that you will see
> > >less than half of all possible loki intrusions.
> > Thanks.
> > >
> > >Kevin
> >
> >
> >
> >
> > This SF.net email is sponsored by: Scholarships for
> > Techies!
> > Can't afford IT training? All 2003 ictp students
> > receive scholarships.
> > Get hands-on training in Microsoft, Cisco, Sun,
> > Linux/UNIX, and more.
> > www.ictp.com/training/sourceforge.asp
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> > unsubscribe:
> >
> > Snort-users list archive:
> >
>Know yourself and know your enemy and you will never fear defeat.
>Do you Yahoo!?
>Yahoo! Mail Plus - Powerful. Affordable. Sign up now.

Help STOP SPAM with the new MSN 8 and get 2 months FREE*  

More information about the Snort-users mailing list