[Bro] Detection of backdoors with Bro.
johanna at icir.org
Tue Jan 3 02:52:35 PST 2017
> I noticed that the bro script Backdoor.bro has been deprecated with Bro
You are right, the backdoor analyzer has been deprecated (note - not
backdoor.bro, that also existed and was removed after 1.5).
> So,what is now the script or group of scripts (or method) used to deal
> with this kind of problem. As a use Bro mainly to read tcpdump pcaps of my
> desktop Internet/browser sessions and malware installed this way is a
Are you actually using the functionality that the backdoor analyzer
provides? As far as I am aware, it has not been active by default in any
recent version of Bro - you always needed to activate it yourself - and
has not seen any active maintenance in a while. If you have been using
this in practice, and it has been useful to you, I would actually be
interested in hearing about it.
In any case - you should always be able to use the current version of it
and compile it as a module, in case it will be removed in a future version
I hope this helps,
More information about the Bro