Snort mailing list archives
RE: RE: BO pre-processor
From: Claude Bailey <Claude.Bailey () RIAG com>
Date: Tue, 18 Jun 2002 15:01:46 -0500
Our antivirus system reportedly detects B02K. I've been relying on it. -----Original Message----- From: larosa, vjay [mailto:larosa_vjay () emc com] Sent: Tuesday, June 18, 2002 2:39 PM To: 'Larc'; snort-users () lists sourceforge net Subject: RE: [Snort-users] RE: BO pre-processor I guess that is really a problem then. BO2K is very simple to acquire and is very easy to configure. I don't like the idea of not being able to detect this traffic on my networks...... Any body else have any thoughts on this? Thanks! vjl -----Original Message----- From: Larc [mailto:larc () pandora be] Sent: Tuesday, June 18, 2002 3:37 PM To: larosa, vjay; snort-users () lists sourceforge net Subject: Re: [Snort-users] RE: BO pre-processor It's not so easy to detect BO2K, because the traffic is encrypted. If I still can remember something from my sans course, then in the beginning of BO2K it was possible, but the coders change the code and now it is impossible (till someone finds the way to detect it). Stefan Dens ----- Original Message ----- From: "larosa, vjay" <larosa_vjay () emc com> To: <snort-users () lists sourceforge net> Sent: Tuesday, June 18, 2002 8:07 PM Subject: [Snort-users] RE: BO pre-processor
I believe I might understand why I don't see any events with snort, the BO explanation in the snort.conf does state Back Orrifice (not BO2K). So if snort does not detect BO2K does anybody
out
there know of a way to identify this traffic on the network? Thanks! vjl-----Original Message----- From: larosa, vjay Sent: Tuesday, June 18, 2002 1:56 PM To: 'snort-users () lists sourceforge net' Subject: BO pre-processor Hello, Has anybody done any work with the Back Orrifice 2000 Pre-Processor? I have been testing in my lab and snort appears to be missing all of the BO traffic. I have tried with and with out the -nobrute
option.
I am not that familiar with BO, but I am remote controlling the PC so I would expect to see some sort of alert from snort right? Thanks! vjl--------------------------------------------------------------------------
--
Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
---------------------------------------------------------------------------- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BO pre-processor larosa, vjay (Jun 18)
- Re: BO pre-processor Beno Chapman (Jun 18)
- <Possible follow-ups>
- RE: BO pre-processor larosa, vjay (Jun 18)
- Re: RE: BO pre-processor Larc (Jun 18)
- RE: RE: BO pre-processor larosa, vjay (Jun 18)
- RE: RE: BO pre-processor Claude Bailey (Jun 18)