Security Incidents mailing list archives
Re: What is this?
From: Andreas Östling <andreaso () IT SU SE>
Date: Wed, 14 Feb 2001 23:55:55 +0100
On Wed, 14 Feb 2001, Max Gribov wrote:
above, is a piece of bugtraq archive with stacheldraht analysis. if your network is infected, it means all infected machines on your network will be happily flooding some innocent server somewhere on the internet sometime soon. On Wed, 14 Feb 2001, Simeon Johnston wrote:We have been getting this in our snort logs for some time now and I am wondering exactly what it is. I searched for it on security focus and they say is that it is part of some ddos packages. IDS193/ddos-stacheldraht server-spoof: (sender hear) -> (receiver here)
Simeon, you are probably using this Snort rule: alert ICMP any any -> any any (msg: "IDS193/ddos-stacheldraht server-spoof"; itype: 8; icmp_id: 666;) This rule doesn't check for any specific packet content and it might be a false positive. Some Napster clients seem to often send ICMP packets with ID 666. Check the payload (if you have it) in the logged packets for clues, and run find_ddos on your suspect hosts. Regards, Andreas Östling
Current thread:
- What is this? Simeon Johnston (Feb 14)
- Re: What is this? Max Gribov (Feb 14)
- Re: What is this? Andreas Östling (Feb 14)
- ddos-stacheldraht server-spoof alerts ( Was: What is this?) Rod Longanilla (Feb 14)
- Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Jacek Lipkowski (Feb 15)
- Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Stephen P. Berry (Feb 16)
- [no subject] Osvaldo J. Filho (Feb 16)
- Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Daniel Keisling (Feb 16)
- Re: What is this? Andreas Östling (Feb 14)
- Re: What is this? Max Gribov (Feb 14)
- Re: What is this? Simeon Johnston (Feb 15)