[Bro] Backdoor Analyzer for interactive traffic
Abhinay Kampasi
abhinay at cs.utexas.edu
Tue Nov 14 13:22:35 PST 2006
Thanks Vern,
The interconn analyzer is detecting the interactive connections that I
am generating. I am using a custom server (netcat) to generate the
interactive connections on random ports. However, the interconn analyzer
was able to detect interactive connections only on standard ports like
telnet/ssh because the packet filter that is loaded on startup captures
traffic on these ports. According to the paper, the filter (ip[2:2] -
((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 20 should be loaded to capture all
"small" packets. However, when I print the capture filter using
print-filter analyzer, I cannot see this filter being loaded. How and
when is this filter loaded? I want to be able to detect interactive
connections on any random port.
Regards,
Abhinay
Vern Paxson wrote:
>> The backdoor policy script in Bro only has the implementation
>> for detecting special-purpose backdoors. Is there any way I can use the
>> general algorithm in Bro?
>>
>
> It's implemented but in a separate policy script, interconn.bro.
>
> Vern
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
More information about the Bro
mailing list