secsnortsigs at ...644...
Tue Aug 27 12:11:20 EDT 2002
a basic rule would be something like
alert tcp $external_net 80 -> $home_net any (msg: "TEST detect Brown Orifice
activity"; content: "file\:"; nocase; content: "script"; nocase;)
This is just something off the top of my head based on the information you
have given me. Some problems with this rule, there are numerous ways to
I am also not sure how often "file:" would show up in a web page with
It might be easier to trap the response from the code being executed by the
Can you post any packet captures of traffic that you want to detect or
point to a good resource that describes how the tool works?
Please note I have not done any testing with this rule and make no
guarantees that it will be of any use to anyone or will even be accepted as
a valid snort rule.
----- Original Message -----
From: "Esler, Joel" <EslerJ at ...783...>
To: "'Ian Macdonald'" <secsnortsigs at ...644...>;
<snort-sigs at lists.sourceforge.net>
Sent: Tuesday, August 27, 2002 12:19 PM
Subject: RE: [Snort-sigs] BrownOrifice
> to allow an attacker to access local files through port 8080 on a computer
> using an older version of Netscape. All systems are vulnerable (windows,
> linux, unix... blah blah) if they use this web browser...
> -----Original Message-----
> From: Ian Macdonald [mailto:secsnortsigs at ...644...]
> Sent: Tuesday, August 27, 2002 12:13 PM
> To: Esler, Joel; snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] BrownOrifice
> would generate a lot of false positives. Do you have any examples of
> that this backdoor generates? Does "file" always appear in the same
> in the message?
> ----- Original Message -----
> From: "Esler, Joel" <EslerJ at ...785...>
> To: <snort-sigs at lists.sourceforge.net>
> Sent: Tuesday, August 27, 2002 11:56 AM
> Subject: [Snort-sigs] BrownOrifice
> > Has anyone seen, or developed a signature for BrownOrifice? It would
> > Joel
> > -------------------------------------------------------
> > This sf.net email is sponsored by: OSDN - Tired of that same old
> > cell phone? Get a new here for FREE!
> > https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
More information about the Snort-sigs