[Snort-sigs] BrownOrifice

Ian Macdonald secsnortsigs at ...644...
Tue Aug 27 09:15:18 EDT 2002


Is it possible to be more specific? searching for "<javascript>" and file
would generate a lot of false positives. Do you have any examples of traffic
that this backdoor generates? Does "file" always appear in the same location
in the message?

Ian
----- Original Message -----
From: "Esler, Joel" <EslerJ at ...785...>
To: <snort-sigs at lists.sourceforge.net>
Sent: Tuesday, August 27, 2002 11:56 AM
Subject: [Snort-sigs] BrownOrifice


> Has anyone seen, or developed a signature for BrownOrifice?  It would need
> to look for the word "file" in a javascript webpage.  Any thoughts?
>
> Joel
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of that same old
> cell phone?  Get a new here for FREE!
> https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>





More information about the Snort-sigs mailing list