[Bro] Backdoor Analyzer for interactive traffic
abhinay at cs.utexas.edu
Tue Nov 14 13:22:35 PST 2006
The interconn analyzer is detecting the interactive connections that I
am generating. I am using a custom server (netcat) to generate the
interactive connections on random ports. However, the interconn analyzer
was able to detect interactive connections only on standard ports like
telnet/ssh because the packet filter that is loaded on startup captures
traffic on these ports. According to the paper, the filter (ip[2:2] -
((ip&0x0f)<<2) - (tcp>>2)) <= 20 should be loaded to capture all
"small" packets. However, when I print the capture filter using
print-filter analyzer, I cannot see this filter being loaded. How and
when is this filter loaded? I want to be able to detect interactive
connections on any random port.
Vern Paxson wrote:
>> The backdoor policy script in Bro only has the implementation
>> for detecting special-purpose backdoors. Is there any way I can use the
>> general algorithm in Bro?
> It's implemented but in a separate policy script, interconn.bro.
> Bro mailing list
> bro at bro-ids.org
More information about the Bro