IDS signature General Loki ICMP Tunneling false positives..

s1leone · ‎06-25-2001

I have rather suddenly been getting a lot of Critical alerts for Signature 6053 General Loki ICMP Tunneling. While the Cisco database says that there are no known benign triggers, I have correlated data that shows otherwise. I have a vendor whose software does a remote polling of devices they monitor in my network, and each polling event generates the Loki alert.

I am also in the process of correlating data/alerts from external host connections generating this alert to my Novell platformed DNS server.

Have there been any other false positive triggers/software identified?

thanks,

sal

scothrel · ‎06-25-2001

Sal,

one way to false positive LOKI is to have asymetric routing or filtering of directional traffic. The general condition is that the Sensor could see the ECHO REPLY messages without having first seen the ECHO REQUEST. This would trigger a false positive on Loki. Note also that it *is* order dependent, so if for some reason the REPLY is seen before the REQUEST, even if the REQUEST is seen, then you can have a false positive.

Another possible cause of Loki alarms is a system that sends out multiple REPLYs to a REQUEST. We have seen the latter in real life and tuned the signature around it.

What version of CSIDS are you running?

Scott

s1leone · ‎06-25-2001

scott,

Thanks, that was useful info. I'll look into setting some directional filters on the reply traffic.

The CSIDS version on these sensors is 2.2, but we're in the process(slowly) of updating all sensors to 2.5

-sal