[Snort-users] Snort and backdoors

Erek Adams erek at ...950...
Thu Jul 10 03:45:15 EDT 2003


On Thu, 10 Jul 2003, Wojciech M. wrote:

> I added to snort.conf (version 2.0.0) line:
> include $RULE_PATH/backdoor.rules
>
> and I started Snort:
> snort -A full -l /home/test/log -h my_home_network/32 -c /etc/snort.conf
>
> All worked fine, but Snort didn't log any of backdoors. This is strange
> because he logged others attacks. To test Snort I used Nessus.
>
> What did I wrong?

Nothing.

If you look at the backdoor ruleset, you'll see that the keyword "flow:"
is used on almost every rule.  Flow keeps track of state and understands
the difference between a single packet containing the backdoor code and a
entire 'converstation' that contains it.  Basically, if "flow:" is used,
you're going to look at the entire conversation, not just one packet.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list