[Snort-users] Snort and backdoors
erek at ...950...
Thu Jul 10 03:45:15 EDT 2003
On Thu, 10 Jul 2003, Wojciech M. wrote:
> I added to snort.conf (version 2.0.0) line:
> include $RULE_PATH/backdoor.rules
> and I started Snort:
> snort -A full -l /home/test/log -h my_home_network/32 -c /etc/snort.conf
> All worked fine, but Snort didn't log any of backdoors. This is strange
> because he logged others attacks. To test Snort I used Nessus.
> What did I wrong?
If you look at the backdoor ruleset, you'll see that the keyword "flow:"
is used on almost every rule. Flow keeps track of state and understands
the difference between a single packet containing the backdoor code and a
entire 'converstation' that contains it. Basically, if "flow:" is used,
you're going to look at the entire conversation, not just one packet.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users