Snort mailing list archives
Re: Snort and backdoors
From: Erek Adams <erek () snort org>
Date: Thu, 10 Jul 2003 06:44:22 -0400 (EDT)
On Thu, 10 Jul 2003, Wojciech M. wrote:
I added to snort.conf (version 2.0.0) line: include $RULE_PATH/backdoor.rules and I started Snort: snort -A full -l /home/test/log -h my_home_network/32 -c /etc/snort.conf All worked fine, but Snort didn't log any of backdoors. This is strange because he logged others attacks. To test Snort I used Nessus. What did I wrong?
Nothing. If you look at the backdoor ruleset, you'll see that the keyword "flow:" is used on almost every rule. Flow keeps track of state and understands the difference between a single packet containing the backdoor code and a entire 'converstation' that contains it. Basically, if "flow:" is used, you're going to look at the entire conversation, not just one packet. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing & more. Download & eval WebKing and get a free book. www.parasoft.com/bulletproofapps _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and backdoors Wojciech M. (Jul 10)
- Re: Snort and backdoors Erek Adams (Jul 10)