missing_documentation
Vern Paxson
vern at aciri.org
Sat Nov 24 00:11:20 PST 2001
> I'm using bro version 07a90 .I have read the documentation to know how
> the scripts work, and make some change to adapt the analyzers to the net
> configuration.But the documentation is missing for 4 script:
> code-red,backdoor,stepping and intercon.
code-red (which is renamed "worm" in subsequent releases, but 0.7a90 is
still the latest public release) was added recently, and hasn't yet been
documented. backdoor, stepping, and interconn are experimental Bro
features (corresponding to the "Detecting Backdoors" and "Detecting
Stepping Stones" papers in doc/), which likewise haven't yet been
documented.
> The problem is the fourth, what does what it serve? and how
> work?
interconn implements the generic "interactive connection" backdoor detector
described in the Detecting Backdoors paper. It's not supported. If you
want to play with it, "@load interconn" should suffice to activate it,
and it will log apparent interactive backdoors to interconn.$BRO_ID. I don't
currently use it operationally (I do use code-red, backdoor, and stepping),
so it may not work properly due to bit-rot.
Vern
More information about the Bro
mailing list