Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DDOS Trin00

From: Phil Wood <cpw () lanl gov>
Date: Wed, 21 Nov 2001 08:16:59 -0700
On Tue, Nov 20, 2001 at 05:02:33PM -0700, james wrote:

Whitehats is down, can anyone tell me how specific the DDOS Trin00 rule is ?


I can't tell you.  But, if you look over the rules, and check the content
elements, it will give you an idea.  (as an aside, make sure you are not
monitoring a network on which you backup your file systems which have the
rule sets, or you will get alerts%^).  Here are the rules as of 20010821.1454:

alert TCP $EXTERNAL any -> $INTERNAL 27665 (msg: "IDS525/ddos_ddos-trin00-attacker-to-master-gOrave"; flags: A+; 
content: "gOrave"; classtype: system-success; reference: arachnids,525;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS451/ftp_ftp-solaris28-formatstring"; flags: A+; content: "|901BC00F 
82102017 91D02008|"; classtype: system-attempt; reference: arachnids,451;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS430/web-cgi_http-php_strings_exploit-portal-tf8"; flags: A+; content: 
"?STRENGUR "; classtype: system-attempt; reference: arachnids,430;)
alert UDP $EXTERNAL any -> $INTERNAL 27444 (msg: "IDS197/ddos_ddos-trin00-master-to-daemon"; content: "l44adsl"; 
classtype: system-success; reference: arachnids,197;)
alert UDP any any -> any 31335 (msg: "IDS187/ddos_ddos-trin00-daemon-to-master-pong"; content: "PONG"; classtype: 
system-success; reference: arachnids,187;)
alert TCP $EXTERNAL any -> $INTERNAL 27665 (msg: "IDS528/ddos_ddos-trin00-attacker-to-master-killme"; flags: A+; 
content: "killme"; classtype: system-success; reference: arachnids,528;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS431/web-cgi_http-php_strings_exploit-atstake"; flags: A+; content: 
"|ba49feffff f7d2 b9bfffffff f7d1|"; classtype: system-attempt; reference: arachnids,431;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS453/ftp_ftp-6350wu-formatstring-check"; flags: A+; content: "SITE 
EXEC |25 30 32 30 64 7C 25 2E 66 25 2E 66 7C 0A|"; depth: 32; nocase; classtype: system-attempt; reference: 
arachnids,453;)
alert TCP $EXTERNAL any -> $INTERNAL 27665 (msg: "IDS196/ddos_ddos-trin00-attacker-to-master"; flags: A+; content: 
"betaalmostdone"; classtype: system-success; reference: arachnids,196;)
alert UDP $EXTERNAL any -> $INTERNAL 31335 (msg: "IDS185/ddos_ddos-trin00-daemon-to-master"; content: "*HELLO*"; 
classtype: system-success; reference: arachnids,185;)
alert UDP $EXTERNAL any -> $INTERNAL 27444 (msg: "IDS186/ddos_ddos-trin00-master-to-daemon-png"; content: "png l44"; 
classtype: system-success; reference: arachnids,186;)
alert TCP $INTERNAL 6939 -> $EXTERNAL 1024: (msg: "IDS89/trojan_trojan-active-indoctrination"; flags: SA; classtype: 
system-success; reference: arachnids,89;)



James Edwards
jamesh () cybermesa com
At the Santa Fe Office: Internet at Cyber Mesa
Store hours: 9-6 Monday through Friday
Phone support 365 days till 10 pm via the Santa Fe office:
505-988-9200 or Toll Free: 888-988-2700



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: