[Snort-sigs] BrownOrifice

Christopher Lyon cslyon at ...790...
Tue Aug 27 20:24:03 EDT 2002


Here are a few of the links that I have found on the Netscape Brown Orifice
issue. The CIAC link has good information and is basically the ISS alert. It
is on 8080 and the link is "file:///". The cert link below has more details
on the methods that it can run. One of these links also mentions the
".*BOHTTPD\.class" as a string within the URL data. That is if that class
type is downloaded that is the start of the signature. Maybe there is a way
to build a signature based on that? Ian? Esler? 

http://www.ciac.org/ciac/bulletins/k-063.shtml

http://www.cert.org/advisories/CA-2000-15.html

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0676


I hope this adds to the information.

-----Original Message-----
From: Ian Macdonald [mailto:secsnortsigs at ...644...] 
Sent: Tuesday, August 27, 2002 12:11 PM
To: Esler, Joel; snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] BrownOrifice

a basic rule would be something like

alert tcp $external_net 80 -> $home_net any (msg: "TEST detect Brown Orifice
activity"; content: "file\:"; nocase; content: "script"; nocase;)

This is just something off the top of my head based on the information you
have given me. Some problems with this rule, there are numerous ways to
represent a section of javascript code. I believe again from memory that
<script>  <script type="text/javascript"> would allow javascript to be
kicked off.

http://www.cert.org/tech_tips/malicious_code_mitigation.html/
http://www.cert.org/advisories/CA-2000-02.html

I am also not sure how often  "file:" would show up in a web page with
"script"

It might be easier to trap the response from the code being executed by the
javascript rather than the inbound connection.

Can  you post any packet captures of traffic that you want to detect or
point to a good resource that describes how the tool works?

Please note I have not done any testing with this rule and make no
guarantees that it will be of any use to anyone or will even be accepted as
a valid snort rule.

Ian
----- Original Message -----
From: "Esler, Joel" <EslerJ at ...783...>
To: "'Ian Macdonald'" <secsnortsigs at ...644...>;
<snort-sigs at lists.sourceforge.net>
Sent: Tuesday, August 27, 2002 12:19 PM
Subject: RE: [Snort-sigs] BrownOrifice


> No, It is the word "file:" imbedded into javascript which opens a back
door
> to allow an attacker to access local files through port 8080 on a computer
> using an older version of Netscape.  All systems are vulnerable (windows,
> linux, unix... blah blah) if they use this web browser...
>
> -----Original Message-----
> From: Ian Macdonald [mailto:secsnortsigs at ...644...]
> Sent: Tuesday, August 27, 2002 12:13 PM
> To: Esler, Joel; snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] BrownOrifice
>
>
> Is it possible to be more specific? searching for "<javascript>" and file
> would generate a lot of false positives. Do you have any examples of
traffic
> that this backdoor generates? Does "file" always appear in the same
location
> in the message?
>
> Ian
> ----- Original Message -----
> From: "Esler, Joel" <EslerJ at ...785...>
> To: <snort-sigs at lists.sourceforge.net>
> Sent: Tuesday, August 27, 2002 11:56 AM
> Subject: [Snort-sigs] BrownOrifice
>
>
> > Has anyone seen, or developed a signature for BrownOrifice?  It would
need
> > to look for the word "file" in a javascript webpage.  Any thoughts?
> >
> > Joel
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by: OSDN - Tired of that same old
> > cell phone?  Get a new here for FREE!
> > https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
>



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020827/025d31d7/attachment.html>


More information about the Snort-sigs mailing list