Hi Vern,
I was reading the "Detecting Backdoors" paper which talks about a general
algorithm for detecting interactive traffic as well as some special-purpose
algorithms. The backdoor policy script in Bro only has the implementation
for detecting special-purpose backdoors. Is there any way I can use the
general algorithm in Bro? I am writing an anomaly detector which needs to be
applied only on interactive traffic.
Thanks and Regards,
Abhinay
The backdoor policy script in Bro only has the implementation
for detecting special-purpose backdoors. Is there any way I can use the
general algorithm in Bro?
It's implemented but in a separate policy script, interconn.bro.
Vern
Thanks Vern,
The interconn analyzer is detecting the interactive connections that I am generating. I am using a custom server (netcat) to generate the interactive connections on random ports. However, the interconn analyzer was able to detect interactive connections only on standard ports like telnet/ssh because the packet filter that is loaded on startup captures traffic on these ports. According to the paper, the filter (ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 20 should be loaded to capture all "small" packets. However, when I print the capture filter using print-filter analyzer, I cannot see this filter being loaded. How and when is this filter loaded? I want to be able to detect interactive connections on any random port.
Regards,
Abhinay
Vern Paxson wrote:
According to the paper, the filter (ip[2:2] -
((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 20 should be loaded to capture all
"small" packets. However, when I print the capture filter using
print-filter analyzer, I cannot see this filter being loaded. How and
when is this filter loaded? I want to be able to detect interactive
connections on any random port.
In your wrapper script, add
redef capture_filters += {
["interconn"] =
"(ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 20"
};
to explicitly set the filter.
Vern