[Snort-sigs] BrownOrifice

Ian Macdonald secsnortsigs at ...644...
Tue Aug 27 12:11:20 EDT 2002

a basic rule would be something like

alert tcp $external_net 80 -> $home_net any (msg: "TEST detect Brown Orifice
activity"; content: "file\:"; nocase; content: "script"; nocase;)

This is just something off the top of my head based on the information you
have given me. Some problems with this rule, there are numerous ways to
represent a section of javascript code. I believe again from memory that
<script>  <script type="text/javascript"> would allow javascript to be
kicked off.


I am also not sure how often  "file:" would show up in a web page with

It might be easier to trap the response from the code being executed by the
javascript rather than the inbound connection.

Can  you post any packet captures of traffic that you want to detect or
point to a good resource that describes how the tool works?

Please note I have not done any testing with this rule and make no
guarantees that it will be of any use to anyone or will even be accepted as
a valid snort rule.

----- Original Message -----
From: "Esler, Joel" <EslerJ at ...783...>
To: "'Ian Macdonald'" <secsnortsigs at ...644...>;
<snort-sigs at lists.sourceforge.net>
Sent: Tuesday, August 27, 2002 12:19 PM
Subject: RE: [Snort-sigs] BrownOrifice

> No, It is the word "file:" imbedded into javascript which opens a back
> to allow an attacker to access local files through port 8080 on a computer
> using an older version of Netscape.  All systems are vulnerable (windows,
> linux, unix... blah blah) if they use this web browser...
> -----Original Message-----
> From: Ian Macdonald [mailto:secsnortsigs at ...644...]
> Sent: Tuesday, August 27, 2002 12:13 PM
> To: Esler, Joel; snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] BrownOrifice
> Is it possible to be more specific? searching for "<javascript>" and file
> would generate a lot of false positives. Do you have any examples of
> that this backdoor generates? Does "file" always appear in the same
> in the message?
> Ian
> ----- Original Message -----
> From: "Esler, Joel" <EslerJ at ...785...>
> To: <snort-sigs at lists.sourceforge.net>
> Sent: Tuesday, August 27, 2002 11:56 AM
> Subject: [Snort-sigs] BrownOrifice
> > Has anyone seen, or developed a signature for BrownOrifice?  It would
> > to look for the word "file" in a javascript webpage.  Any thoughts?
> >
> > Joel
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by: OSDN - Tired of that same old
> > cell phone?  Get a new here for FREE!
> > https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >

More information about the Snort-sigs mailing list