[Snort-users] RE: BO pre-processor

Claude Bailey Claude.Bailey at ...537...
Tue Jun 18 13:03:02 EDT 2002


Our antivirus system reportedly detects B02K. I've been relying on it.

-----Original Message-----
From: larosa, vjay [mailto:larosa_vjay at ...3331...]
Sent: Tuesday, June 18, 2002 2:39 PM
To: 'Larc'; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] RE: BO pre-processor


I guess that is really a problem then. BO2K is very simple to acquire and is
very easy to configure.
I don't like the idea of not being able to detect this traffic on my
networks...... Any body else
have any thoughts on this? Thanks!

vjl

-----Original Message-----
From: Larc [mailto:larc at ...1187...]
Sent: Tuesday, June 18, 2002 3:37 PM
To: larosa, vjay; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] RE: BO pre-processor


It's not so easy to detect BO2K, because the traffic is encrypted.
If I still can remember something from my sans course, then in the beginning
of BO2K it was possible,
but the coders change the code and now it is impossible (till someone finds
the way to detect it).

Stefan Dens

----- Original Message -----
From: "larosa, vjay" <larosa_vjay at ...3331...>
To: <snort-users at lists.sourceforge.net>
Sent: Tuesday, June 18, 2002 8:07 PM
Subject: [Snort-users] RE: BO pre-processor


> I believe I might understand why I don't see any events with snort, the BO
> explanation in the snort.conf does state
> Back Orrifice (not BO2K). So if snort does not detect BO2K does anybody
out
> there know of a way to identify this
> traffic on the network? Thanks!
>
> vjl
>
> >  -----Original Message-----
> > From: larosa, vjay
> > Sent: Tuesday, June 18, 2002 1:56 PM
> > To: 'snort-users at lists.sourceforge.net'
> > Subject: BO pre-processor
> >
> > Hello,
> >
> > Has anybody done any work with the Back Orrifice 2000 Pre-Processor? I
> > have been testing in my lab and snort appears to be missing
> > all of the BO traffic. I have tried with and with out the -nobrute
option.
> > I am not that familiar with BO, but I am remote controlling the
> > PC so I would expect to see some sort of alert from snort right? Thanks!
> >
> > vjl
>
> --------------------------------------------------------------------------
--
>                    Bringing you mounds of caffeinated joy
>                       >>>     http://thinkgeek.com/sf    <<<
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

----------------------------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020618/e65482a6/attachment.html>


More information about the Snort-users mailing list