[Snort-users] RE: BO pre-processor

larosa, vjay larosa_vjay at ...3331...
Tue Jun 18 12:39:10 EDT 2002

I guess that is really a problem then. BO2K is very simple to acquire and is
very easy to configure.
I don't like the idea of not being able to detect this traffic on my
networks...... Any body else
have any thoughts on this? Thanks!


-----Original Message-----
From: Larc [mailto:larc at ...1187...]
Sent: Tuesday, June 18, 2002 3:37 PM
To: larosa, vjay; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] RE: BO pre-processor

It's not so easy to detect BO2K, because the traffic is encrypted.
If I still can remember something from my sans course, then in the beginning
of BO2K it was possible,
but the coders change the code and now it is impossible (till someone finds
the way to detect it).

Stefan Dens

----- Original Message -----
From: "larosa, vjay" <larosa_vjay at ...3331...>
To: <snort-users at lists.sourceforge.net>
Sent: Tuesday, June 18, 2002 8:07 PM
Subject: [Snort-users] RE: BO pre-processor

> I believe I might understand why I don't see any events with snort, the BO
> explanation in the snort.conf does state
> Back Orrifice (not BO2K). So if snort does not detect BO2K does anybody
> there know of a way to identify this
> traffic on the network? Thanks!
> vjl
> >  -----Original Message-----
> > From: larosa, vjay
> > Sent: Tuesday, June 18, 2002 1:56 PM
> > To: 'snort-users at lists.sourceforge.net'
> > Subject: BO pre-processor
> >
> > Hello,
> >
> > Has anybody done any work with the Back Orrifice 2000 Pre-Processor? I
> > have been testing in my lab and snort appears to be missing
> > all of the BO traffic. I have tried with and with out the -nobrute
> > I am not that familiar with BO, but I am remote controlling the
> > PC so I would expect to see some sort of alert from snort right? Thanks!
> >
> > vjl
> --------------------------------------------------------------------------
>                    Bringing you mounds of caffeinated joy
>                       >>>     http://thinkgeek.com/sf    <<<
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list