[Snort-users] Snort and backdoors

Erek Adams erek at ...950...
Thu Jul 10 03:45:15 EDT 2003

On Thu, 10 Jul 2003, Wojciech M. wrote:

> I added to snort.conf (version 2.0.0) line:
> include $RULE_PATH/backdoor.rules
> and I started Snort:
> snort -A full -l /home/test/log -h my_home_network/32 -c /etc/snort.conf
> All worked fine, but Snort didn't log any of backdoors. This is strange
> because he logged others attacks. To test Snort I used Nessus.
> What did I wrong?


If you look at the backdoor ruleset, you'll see that the keyword "flow:"
is used on almost every rule.  Flow keeps track of state and understands
the difference between a single packet containing the backdoor code and a
entire 'converstation' that contains it.  Basically, if "flow:" is used,
you're going to look at the entire conversation, not just one packet.


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list