Back Orifice Detection Preprocessor
The Back Orifice preprocessor analyzes UDP traffic for the Back Orifice
magic cookie, "*!*QWTY?", which is located in
the first eight bytes of the packet and is XOR-encrypted.
The Back Orifice preprocessor has a configuration page, but no configuration options. When it is enabled, you must also enable preprocessor rules for the preprocessor to generate events and, in an inline deployment, drop offending packets.
|
Preprocessor rule GID:SID |
Description |
|---|---|
|
105:1 |
Back Orifice traffic detected |
|
105:2 |
Back Orifice client traffic detected |
|
105:3 |
Back Orifice server traffic detected |
|
105:4 |
Back Orifice Snort buffer attack detected |