[Bro] Detection of backdoors with Bro.

Johanna Amann johanna at icir.org
Tue Jan 3 02:52:35 PST 2017

Hello Luca,

> I noticed that the bro script Backdoor.bro has been deprecated with Bro
> 2.5.

You are right, the backdoor analyzer has been deprecated (note - not
backdoor.bro, that also existed and was removed after 1.5).

> So,what is now the script or group of scripts (or method) used to deal
> with this kind of problem. As a use Bro mainly to read tcpdump pcaps of my
> desktop Internet/browser sessions and malware installed this way is a
> concern.

Are you actually using the functionality that the backdoor analyzer
provides? As far as I am aware, it has not been active by default in any
recent version of Bro - you always needed to activate it yourself - and
has not seen any active maintenance in a while. If you have been using
this in practice, and it has been useful to you, I would actually be
interested in hearing about it.

In any case - you should always be able to use the current version of it
and compile it as a module, in case it will be removed in a future version
of Bro.

I hope this helps,

More information about the Bro mailing list