Re: What is this?

[Geoff the UNIX guy <galitz () UCLINK BERKELEY EDU>]

You can view the rules file for snort to determine which
ports match this rule, but you should be aware that this
particular rule can sometimes trigger on some peer-to-peer
application sharing programs (a la napster or gnutella).

If I were you, I'd inspect whatever machine is receiving
the data and look for signs of intrusion, including running
"dds" and "lsof" (if it is a UNIX box) and any other of your favorite
techniques.

FWIW, DMZ systems should be spot-checked periodically, anyway.

-geoff

On Wed, 14 Feb 2001, Simeon Johnston wrote:

> We have been getting this in our snort logs for some time now and I am
> wondering exactly what it is.  I searched for it on security focus and
> they say is that it is part of some ddos packages.  It has been going to
> our firewall and to another machine in our DMZ.  These are the only
> machines that were hit.  Is there any danger from this?  Is there a way
> to tell what port it is on?  Is this a snort configuration problem?  Any
> known vulnerabilities?
> I am running RedHat 6.2 on the firewall w/ IPChains.
>
> IDS193/ddos-stacheldraht server-spoof: (sender hear) -> (receiver here)

---------------------------------------------------
Geoff Galitz, galitz () uclink berkeley edu
Research Computing
College of Chemistry, UC Berkeley
---------------------------------------------------
     The laws of physics can be a harsh mistress...
        - Bender