Back Orifice Detector 
			---------------------
			      v.02
  			    10/17/98  
			 sili@l0pht.com


This module detects patterns in that happen within Back Orifice
client/server communications. This module does not rely on the poor
encryption technique used in BO.

The output looks like this:

<src ip>  <src port>  <dst IP>  <dst port>
------------------------------------------

There are times when network becomes saturated and the NFR module
actually see's the servers BO response _first_, and will show up in the
source port.  This happens when NFR gets reloaded and someone is actively
issuing BO commands.  For 95% of the time, the <dst port> will be the port
that BO is running on.  On the %5 of the other time, it'll actually be
running on <src ip>'s <src port>.

The code is cobbleded together around broken NFR features that should be
fixed in NFR 2.0.  Look at the code to see the things that don't work as
they should...