Cisco Cisco Firepower Management Center 4000

You can use some of the advanced configuration options in an intrusion policy to detect specific threats, 
such as back orifice attacks, several portscan types, and rate-based attacks that attempt to overwhelm 
your network with excessive traffic. See the following sections for more information:

 explains detection of Back Orifice attacks.

 describes the different types of portscans and explains how you can 

use portscan detection to identify threats to your networks before they develop into attacks.

 explains how to limit denial of service (DoS) and SYN 

flood attacks.

 explains how to detect and generate events on sensitive data 

such as credit card numbers and Social Security numbers in ASCII text.

Protection

The FireSIGHT System provides a preprocessor that detects the existence of the Back Orifice program. 
This program can be used to gain admin access to your Windows hosts. The Back Orifice preprocessor 
analyzes UDP traffic for the Back Orifice magic cookie, "*

!*QWTY?

", which is located in the first eight 

bytes of the packet and is XOR-encrypted.

The Back Orifice preprocessor has a configuration page, but no configuration options. When it is 
enabled, you must also enable the preprocessor rules in the following table for the preprocessor to 
generate corresponding events. A link on the configuration page takes you to a filtered view of Back 
Orifice preprocessor rules on the Rules page, where you can enable and disable rules and configure other 
rule attributes. See 

 for more information.

105:1

Back Orifice traffic detected

105:2

Back Orifice client traffic detected

105:3

Back Orifice server traffic detected

105:4

Back Orifice snort buffer attack detected