Re: Snort and backdoors

[Erek Adams <erek () snort org>]

On Thu, 10 Jul 2003, Wojciech M. wrote:

> I added to snort.conf (version 2.0.0) line:
> include $RULE_PATH/backdoor.rules
>
> and I started Snort:
> snort -A full -l /home/test/log -h my_home_network/32 -c /etc/snort.conf
>
> All worked fine, but Snort didn't log any of backdoors. This is strange
> because he logged others attacks. To test Snort I used Nessus.
>
> What did I wrong?

Nothing.

If you look at the backdoor ruleset, you'll see that the keyword "flow:"
is used on almost every rule.  Flow keeps track of state and understands
the difference between a single packet containing the backdoor code and a
entire 'converstation' that contains it.  Basically, if "flow:" is used,
you're going to look at the entire conversation, not just one packet.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users