Snort mailing list archives
Re: RE: BO pre-processor
From: "Larc" <larc () pandora be>
Date: Tue, 18 Jun 2002 21:36:43 +0200
It's not so easy to detect BO2K, because the traffic is encrypted. If I still can remember something from my sans course, then in the beginning of BO2K it was possible, but the coders change the code and now it is impossible (till someone finds the way to detect it). Stefan Dens ----- Original Message ----- From: "larosa, vjay" <larosa_vjay () emc com> To: <snort-users () lists sourceforge net> Sent: Tuesday, June 18, 2002 8:07 PM Subject: [Snort-users] RE: BO pre-processor
I believe I might understand why I don't see any events with snort, the BO explanation in the snort.conf does state Back Orrifice (not BO2K). So if snort does not detect BO2K does anybody
out
there know of a way to identify this traffic on the network? Thanks! vjl-----Original Message----- From: larosa, vjay Sent: Tuesday, June 18, 2002 1:56 PM To: 'snort-users () lists sourceforge net' Subject: BO pre-processor Hello, Has anybody done any work with the Back Orrifice 2000 Pre-Processor? I have been testing in my lab and snort appears to be missing all of the BO traffic. I have tried with and with out the -nobrute
option.
I am not that familiar with BO, but I am remote controlling the PC so I would expect to see some sort of alert from snort right? Thanks! vjl--------------------------------------------------------------------------
--
Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
---------------------------------------------------------------------------- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BO pre-processor larosa, vjay (Jun 18)
- Re: BO pre-processor Beno Chapman (Jun 18)
- <Possible follow-ups>
- RE: BO pre-processor larosa, vjay (Jun 18)
- Re: RE: BO pre-processor Larc (Jun 18)
- RE: RE: BO pre-processor larosa, vjay (Jun 18)
- RE: RE: BO pre-processor Claude Bailey (Jun 18)