[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: RE: [Snort-sigs] BrownOrifice
From: Christopher Lyon <cslyon () netsvcs ! com>
Date: 2002-08-28 3:23:28
[Download RAW message or body]
Here are a few of the links that I have found on the Netscape Brown Orifice
issue. The CIAC link has good information and is basically the ISS alert. It
is on 8080 and the link is "file:///". The cert link below has more details
on the methods that it can run. One of these links also mentions the
".*BOHTTPD\.class" as a string within the URL data. That is if that class
type is downloaded that is the start of the signature. Maybe there is a way
to build a signature based on that? Ian? Esler?
http://www.ciac.org/ciac/bulletins/k-063.shtml
http://www.cert.org/advisories/CA-2000-15.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0676
I hope this adds to the information.
-----Original Message-----
From: Ian Macdonald [mailto:secsnortsigs@dirk.demon.co.uk]
Sent: Tuesday, August 27, 2002 12:11 PM
To: Esler, Joel; snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] BrownOrifice
a basic rule would be something like
alert tcp $external_net 80 -> $home_net any (msg: "TEST detect Brown Orifice
activity"; content: "file\:"; nocase; content: "script"; nocase;)
This is just something off the top of my head based on the information you
have given me. Some problems with this rule, there are numerous ways to
represent a section of javascript code. I believe again from memory that
<script> <script type="text/javascript"> would allow javascript to be
kicked off.
http://www.cert.org/tech_tips/malicious_code_mitigation.html/
http://www.cert.org/advisories/CA-2000-02.html
I am also not sure how often "file:" would show up in a web page with
"script"
It might be easier to trap the response from the code being executed by the
javascript rather than the inbound connection.
Can you post any packet captures of traffic that you want to detect or
point to a good resource that describes how the tool works?
Please note I have not done any testing with this rule and make no
guarantees that it will be of any use to anyone or will even be accepted as
a valid snort rule.
Ian
----- Original Message -----
From: "Esler, Joel" <EslerJ@rcert-s.army.mil>
To: "'Ian Macdonald'" <secsnortsigs@dirk.demon.co.uk>;
<snort-sigs@lists.sourceforge.net>
Sent: Tuesday, August 27, 2002 12:19 PM
Subject: RE: [Snort-sigs] BrownOrifice
> No, It is the word "file:" imbedded into javascript which opens a back
door
> to allow an attacker to access local files through port 8080 on a computer
> using an older version of Netscape. All systems are vulnerable (windows,
> linux, unix... blah blah) if they use this web browser...
>
> -----Original Message-----
> From: Ian Macdonald [mailto:secsnortsigs@dirk.demon.co.uk]
> Sent: Tuesday, August 27, 2002 12:13 PM
> To: Esler, Joel; snort-sigs@lists.sourceforge.net
> Subject: Re: [Snort-sigs] BrownOrifice
>
>
> Is it possible to be more specific? searching for "<javascript>" and file
> would generate a lot of false positives. Do you have any examples of
traffic
> that this backdoor generates? Does "file" always appear in the same
location
> in the message?
>
> Ian
> ----- Original Message -----
> From: "Esler, Joel" <EslerJ@RCERT-S.ARMY.MIL>
> To: <snort-sigs@lists.sourceforge.net>
> Sent: Tuesday, August 27, 2002 11:56 AM
> Subject: [Snort-sigs] BrownOrifice
>
>
> > Has anyone seen, or developed a signature for BrownOrifice? It would
need
> > to look for the word "file" in a javascript webpage. Any thoughts?
> >
> > Joel
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by: OSDN - Tired of that same old
> > cell phone? Get a new here for FREE!
> > https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
>
-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone? Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>RE: [Snort-sigs] BrownOrifice</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>Here are a few of the links that I have found on the Netscape Brown \
Orifice issue. The CIAC link has good information and is basically the ISS alert. It \
is on 8080 and the link is "<A HREF="file:///" \
TARGET="_blank">file:///</A>". The cert link below has more details on the \
methods that it can run. One of these links also mentions the \
".*BOHTTPD\.class" as a string within the URL data. That is if that class \
type is downloaded that is the start of the signature. Maybe there is a way to build \
a signature based on that? Ian? Esler? </FONT></P>
<P><FONT SIZE=2><A HREF="http://www.ciac.org/ciac/bulletins/k-063.shtml" \
TARGET="_blank">http://www.ciac.org/ciac/bulletins/k-063.shtml</A></FONT> </P>
<P><FONT SIZE=2><A HREF="http://www.cert.org/advisories/CA-2000-15.html" \
TARGET="_blank">http://www.cert.org/advisories/CA-2000-15.html</A></FONT> </P>
<P><FONT SIZE=2><A HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0676" \
TARGET="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0676</A></FONT>
</P>
<BR>
<P><FONT SIZE=2>I hope this adds to the information.</FONT>
</P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Ian Macdonald [<A \
HREF="mailto:secsnortsigs@dirk.demon.co.uk">mailto:secsnortsigs@dirk.demon.co.uk</A>] \
</FONT> <BR><FONT SIZE=2>Sent: Tuesday, August 27, 2002 12:11 PM</FONT>
<BR><FONT SIZE=2>To: Esler, Joel; snort-sigs@lists.sourceforge.net</FONT>
<BR><FONT SIZE=2>Subject: Re: [Snort-sigs] BrownOrifice</FONT>
</P>
<P><FONT SIZE=2>a basic rule would be something like</FONT>
</P>
<P><FONT SIZE=2>alert tcp $external_net 80 -> $home_net any (msg: "TEST \
detect Brown Orifice</FONT> <BR><FONT SIZE=2>activity"; content: \
"file\:"; nocase; content: "script"; nocase;)</FONT> </P>
<P><FONT SIZE=2>This is just something off the top of my head based on the \
information you</FONT> <BR><FONT SIZE=2>have given me. Some problems with this rule, \
there are numerous ways to</FONT> <BR><FONT SIZE=2>represent a section of javascript \
code. I believe again from memory that</FONT> <BR><FONT SIZE=2><script> \
<script type="text/javascript"> would allow javascript to be</FONT> \
<BR><FONT SIZE=2>kicked off.</FONT> </P>
<P><FONT SIZE=2><A HREF="http://www.cert.org/tech_tips/malicious_code_mitigation.html/" \
TARGET="_blank">http://www.cert.org/tech_tips/malicious_code_mitigation.html/</A></FONT>
<BR><FONT SIZE=2><A HREF="http://www.cert.org/advisories/CA-2000-02.html" \
TARGET="_blank">http://www.cert.org/advisories/CA-2000-02.html</A></FONT> </P>
<P><FONT SIZE=2>I am also not sure how often "file:" would show up in \
a web page with</FONT> <BR><FONT SIZE=2>"script"</FONT>
</P>
<P><FONT SIZE=2>It might be easier to trap the response from the code being executed \
by the</FONT> <BR><FONT SIZE=2>javascript rather than the inbound connection.</FONT>
</P>
<P><FONT SIZE=2>Can you post any packet captures of traffic that you want to \
detect or</FONT> <BR><FONT SIZE=2>point to a good resource that describes how the \
tool works?</FONT> </P>
<P><FONT SIZE=2>Please note I have not done any testing with this rule and make \
no</FONT> <BR><FONT SIZE=2>guarantees that it will be of any use to anyone or will \
even be accepted as</FONT> <BR><FONT SIZE=2>a valid snort rule.</FONT>
</P>
<P><FONT SIZE=2>Ian</FONT>
<BR><FONT SIZE=2>----- Original Message -----</FONT>
<BR><FONT SIZE=2>From: "Esler, Joel" <EslerJ@rcert-s.army.mil></FONT>
<BR><FONT SIZE=2>To: "'Ian Macdonald'" \
<secsnortsigs@dirk.demon.co.uk>;</FONT> <BR><FONT \
SIZE=2><snort-sigs@lists.sourceforge.net></FONT> <BR><FONT SIZE=2>Sent: \
Tuesday, August 27, 2002 12:19 PM</FONT> <BR><FONT SIZE=2>Subject: RE: [Snort-sigs] \
BrownOrifice</FONT> </P>
<BR>
<P><FONT SIZE=2>> No, It is the word "file:" imbedded into javascript \
which opens a back</FONT> <BR><FONT SIZE=2>door</FONT>
<BR><FONT SIZE=2>> to allow an attacker to access local files through port 8080 on \
a computer</FONT> <BR><FONT SIZE=2>> using an older version of Netscape. All \
systems are vulnerable (windows,</FONT> <BR><FONT SIZE=2>> linux, unix... blah \
blah) if they use this web browser...</FONT> <BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> -----Original Message-----</FONT>
<BR><FONT SIZE=2>> From: Ian Macdonald [<A \
HREF="mailto:secsnortsigs@dirk.demon.co.uk">mailto:secsnortsigs@dirk.demon.co.uk</A>]</FONT>
<BR><FONT SIZE=2>> Sent: Tuesday, August 27, 2002 12:13 PM</FONT>
<BR><FONT SIZE=2>> To: Esler, Joel; snort-sigs@lists.sourceforge.net</FONT>
<BR><FONT SIZE=2>> Subject: Re: [Snort-sigs] BrownOrifice</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> Is it possible to be more specific? searching for \
"<javascript>" and file</FONT> <BR><FONT SIZE=2>> would generate a \
lot of false positives. Do you have any examples of</FONT> <BR><FONT \
SIZE=2>traffic</FONT> <BR><FONT SIZE=2>> that this backdoor generates? Does \
"file" always appear in the same</FONT> <BR><FONT SIZE=2>location</FONT>
<BR><FONT SIZE=2>> in the message?</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> Ian</FONT>
<BR><FONT SIZE=2>> ----- Original Message -----</FONT>
<BR><FONT SIZE=2>> From: "Esler, Joel" \
<EslerJ@RCERT-S.ARMY.MIL></FONT> <BR><FONT SIZE=2>> To: \
<snort-sigs@lists.sourceforge.net></FONT> <BR><FONT SIZE=2>> Sent: Tuesday, \
August 27, 2002 11:56 AM</FONT> <BR><FONT SIZE=2>> Subject: [Snort-sigs] \
BrownOrifice</FONT> <BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> > Has anyone seen, or developed a signature for \
BrownOrifice? It would</FONT> <BR><FONT SIZE=2>need</FONT>
<BR><FONT SIZE=2>> > to look for the word "file" in a javascript \
webpage. Any thoughts?</FONT> <BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> > Joel</FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> > \
-------------------------------------------------------</FONT> <BR><FONT SIZE=2>> \
> This sf.net email is sponsored by: OSDN - Tired of that same old</FONT> \
<BR><FONT SIZE=2>> > cell phone? Get a new here for FREE!</FONT> \
<BR><FONT SIZE=2>> > <A \
HREF="https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390" \
TARGET="_blank">https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390</A></FONT>
<BR><FONT SIZE=2>> > _______________________________________________</FONT>
<BR><FONT SIZE=2>> > Snort-sigs mailing list</FONT>
<BR><FONT SIZE=2>> > Snort-sigs@lists.sourceforge.net</FONT>
<BR><FONT SIZE=2>> > <A \
HREF="https://lists.sourceforge.net/lists/listinfo/snort-sigs" \
TARGET="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</A></FONT> \
<BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>></FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=2>-------------------------------------------------------</FONT>
<BR><FONT SIZE=2>This sf.net email is sponsored by: OSDN - Tired of that same \
old</FONT> <BR><FONT SIZE=2>cell phone? Get a new here for FREE!</FONT>
<BR><FONT SIZE=2><A HREF="https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390" \
TARGET="_blank">https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390</A></FONT>
<BR><FONT SIZE=2>_______________________________________________</FONT>
<BR><FONT SIZE=2>Snort-sigs mailing list</FONT>
<BR><FONT SIZE=2>Snort-sigs@lists.sourceforge.net</FONT>
<BR><FONT SIZE=2><A HREF="https://lists.sourceforge.net/lists/listinfo/snort-sigs" \
TARGET="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</A></FONT> \
</P>
</BODY>
</HTML>
-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing
real-time communications platform! Don't just IM. Build it in!
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic