I'm using bro version 07a90 .I have read the documentation to know how
the scripts work, and make some change to adapt the analyzers to the net
configuration.But the documentation is missing for 4 script:
code-red,backdoor,stepping and intercon.
code-red (which is renamed "worm" in subsequent releases, but 0.7a90 is
still the latest public release) was added recently, and hasn't yet been
documented. backdoor, stepping, and interconn are experimental Bro
features (corresponding to the "Detecting Backdoors" and "Detecting
Stepping Stones" papers in doc/), which likewise haven't yet been
documented.
The problem is the fourth, what does what it serve? and how
work?
interconn implements the generic "interactive connection" backdoor detector
described in the Detecting Backdoors paper. It's not supported. If you
want to play with it, "@load interconn" should suffice to activate it,
and it will log apparent interactive backdoors to interconn.$BRO_ID. I don't
currently use it operationally (I do use code-red, backdoor, and stepping),
so it may not work properly due to bit-rot.
Vern