From: Tom Peters (thopeter) <thopeter@cisco.com>
Date: Wed, 10 Nov 2021 20:50:53 +0000 (+0000)
Subject: Pull request #3157: US 708162: Timebox: Built-in rule documentation - back orifice
X-Git-Tag: 3.1.17.0~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bd289da8f3994d2026f2f44833a5e0c12e83f65a;p=thirdparty%2Fsnort3.git

Pull request #3157: US 708162: Timebox: Built-in rule documentation - back orifice

Merge in SNORT/snort3 from ~MDAGON/snort3:bo_doc to master

Squashed commit of the following:

commit 3fb00bd44ee93c4bf67a99d7a01e82ae00687432
Author: Maya Dagon <mdagon@cisco.com>
Date:   Mon Nov 8 17:01:17 2021 -0500

    doc: back orifice builtin rules
---

diff --git a/doc/reference/builtin_stubs.txt b/doc/reference/builtin_stubs.txt
index e6da01eee..1d64e4f27 100644
--- a/doc/reference/builtin_stubs.txt
+++ b/doc/reference/builtin_stubs.txt
@@ -4,19 +4,19 @@ A tagged packet was logged.
 
 105:1
 
-(back_orifice) BO traffic detected
+Back orifice traffic detected, unknown direction
 
 105:2
 
-(back_orifice) BO client traffic detected
+Back orifice client traffic detected
 
 105:3
 
-(back_orifice) BO server traffic detected
+Back orifice server traffic detected
 
 105:4
 
-(back_orifice) BO Snort buffer attack
+Back orifice length field >= 1024 bytes
 
 106:1
 
diff --git a/src/service_inspectors/back_orifice/back_orifice.cc b/src/service_inspectors/back_orifice/back_orifice.cc
index 5d5ef0145..998646741 100644
--- a/src/service_inspectors/back_orifice/back_orifice.cc
+++ b/src/service_inspectors/back_orifice/back_orifice.cc
@@ -159,13 +159,13 @@ static THREAD_LOCAL SimpleStats bostats;
 #define BO_SNORT_BUFFER_ATTACK    4
 
 #define BO_TRAFFIC_DETECT_STR \
-    "BO traffic detected"
+    "Back orifice traffic detected, unknown direction"
 #define BO_CLIENT_TRAFFIC_DETECT_STR \
-    "BO client traffic detected"
+    "Back orifice client traffic detected"
 #define BO_SERVER_TRAFFIC_DETECT_STR \
-    "BO server traffic detected"
+    "Back orifice server traffic detected"
 #define BO_SNORT_BUFFER_ATTACK_STR \
-    "BO Snort buffer attack"
+    "Back orifice length field >= 1024 bytes"
 
 static const RuleMap bo_rules[] =
 {