[Bro] Backdoor Analyzer for interactive traffic

Abhinay Kampasi abhinay at cs.utexas.edu
Tue Nov 14 13:22:35 PST 2006


Thanks Vern,

The interconn analyzer is detecting the interactive connections that I 
am generating. I am using a custom server (netcat) to generate the 
interactive connections on random ports. However, the interconn analyzer 
was able to detect interactive connections only on standard ports like 
telnet/ssh because the packet filter that is loaded on startup captures 
traffic on these ports. According to the paper, the filter (ip[2:2] - 
((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 20 should be loaded to capture all 
"small" packets. However, when I print the capture filter using 
print-filter analyzer, I cannot see this filter being loaded. How and 
when is this filter loaded? I want to be able to detect interactive 
connections on any random port.

Regards,
Abhinay

Vern Paxson wrote:
>> The backdoor policy script in Bro only has the implementation
>> for detecting special-purpose backdoors. Is there any way I can use the
>> general algorithm in Bro?
>>     
>
> It's implemented but in a separate policy script, interconn.bro.
>
> 		Vern
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>   



More information about the Bro mailing list