Snort mailing list archives

RE: RE: BO pre-processor

From: "larosa, vjay" <larosa_vjay () emc com>
Date: Tue, 18 Jun 2002 15:38:34 -0400

I guess that is really a problem then. BO2K is very simple to acquire and is
very easy to configure.
I don't like the idea of not being able to detect this traffic on my
networks...... Any body else
have any thoughts on this? Thanks!

vjl

-----Original Message-----
From: Larc [mailto:larc () pandora be]
Sent: Tuesday, June 18, 2002 3:37 PM
To: larosa, vjay; snort-users () lists sourceforge net
Subject: Re: [Snort-users] RE: BO pre-processor


It's not so easy to detect BO2K, because the traffic is encrypted.
If I still can remember something from my sans course, then in the beginning
of BO2K it was possible,
but the coders change the code and now it is impossible (till someone finds
the way to detect it).

Stefan Dens

----- Original Message -----
From: "larosa, vjay" <larosa_vjay () emc com>
To: <snort-users () lists sourceforge net>
Sent: Tuesday, June 18, 2002 8:07 PM
Subject: [Snort-users] RE: BO pre-processor

I believe I might understand why I don't see any events with snort, the BO
explanation in the snort.conf does state
Back Orrifice (not BO2K). So if snort does not detect BO2K does anybody

out

there know of a way to identify this
traffic on the network? Thanks!

vjl

 -----Original Message-----
From: larosa, vjay
Sent: Tuesday, June 18, 2002 1:56 PM
To: 'snort-users () lists sourceforge net'
Subject: BO pre-processor

Hello,

Has anybody done any work with the Back Orrifice 2000 Pre-Processor? I
have been testing in my lab and snort appears to be missing
all of the BO traffic. I have tried with and with out the -nobrute

option.

I am not that familiar with BO, but I am remote controlling the
PC so I would expect to see some sort of alert from snort right? Thanks!

vjl


--------------------------------------------------------------------------

--

                   Bringing you mounds of caffeinated joy
                      >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


----------------------------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

BO pre-processor larosa, vjay (Jun 18)
- Re: BO pre-processor Beno Chapman (Jun 18)
- <Possible follow-ups>
- RE: BO pre-processor larosa, vjay (Jun 18)
  - Re: RE: BO pre-processor Larc (Jun 18)
- RE: RE: BO pre-processor larosa, vjay (Jun 18)
- RE: RE: BO pre-processor Claude Bailey (Jun 18)