Snort mailing list archives
Re: DDOS Trin00
From: Phil Wood <cpw () lanl gov>
Date: Wed, 21 Nov 2001 08:16:59 -0700
On Tue, Nov 20, 2001 at 05:02:33PM -0700, james wrote:
Whitehats is down, can anyone tell me how specific the DDOS Trin00 rule is ?
I can't tell you. But, if you look over the rules, and check the content elements, it will give you an idea. (as an aside, make sure you are not monitoring a network on which you backup your file systems which have the rule sets, or you will get alerts%^). Here are the rules as of 20010821.1454: alert TCP $EXTERNAL any -> $INTERNAL 27665 (msg: "IDS525/ddos_ddos-trin00-attacker-to-master-gOrave"; flags: A+; content: "gOrave"; classtype: system-success; reference: arachnids,525;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS451/ftp_ftp-solaris28-formatstring"; flags: A+; content: "|901BC00F 82102017 91D02008|"; classtype: system-attempt; reference: arachnids,451;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS430/web-cgi_http-php_strings_exploit-portal-tf8"; flags: A+; content: "?STRENGUR "; classtype: system-attempt; reference: arachnids,430;) alert UDP $EXTERNAL any -> $INTERNAL 27444 (msg: "IDS197/ddos_ddos-trin00-master-to-daemon"; content: "l44adsl"; classtype: system-success; reference: arachnids,197;) alert UDP any any -> any 31335 (msg: "IDS187/ddos_ddos-trin00-daemon-to-master-pong"; content: "PONG"; classtype: system-success; reference: arachnids,187;) alert TCP $EXTERNAL any -> $INTERNAL 27665 (msg: "IDS528/ddos_ddos-trin00-attacker-to-master-killme"; flags: A+; content: "killme"; classtype: system-success; reference: arachnids,528;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS431/web-cgi_http-php_strings_exploit-atstake"; flags: A+; content: "|ba49feffff f7d2 b9bfffffff f7d1|"; classtype: system-attempt; reference: arachnids,431;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS453/ftp_ftp-6350wu-formatstring-check"; flags: A+; content: "SITE EXEC |25 30 32 30 64 7C 25 2E 66 25 2E 66 7C 0A|"; depth: 32; nocase; classtype: system-attempt; reference: arachnids,453;) alert TCP $EXTERNAL any -> $INTERNAL 27665 (msg: "IDS196/ddos_ddos-trin00-attacker-to-master"; flags: A+; content: "betaalmostdone"; classtype: system-success; reference: arachnids,196;) alert UDP $EXTERNAL any -> $INTERNAL 31335 (msg: "IDS185/ddos_ddos-trin00-daemon-to-master"; content: "*HELLO*"; classtype: system-success; reference: arachnids,185;) alert UDP $EXTERNAL any -> $INTERNAL 27444 (msg: "IDS186/ddos_ddos-trin00-master-to-daemon-png"; content: "png l44"; classtype: system-success; reference: arachnids,186;) alert TCP $INTERNAL 6939 -> $EXTERNAL 1024: (msg: "IDS89/trojan_trojan-active-indoctrination"; flags: SA; classtype: system-success; reference: arachnids,89;)
James Edwards jamesh () cybermesa com At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday Phone support 365 days till 10 pm via the Santa Fe office: 505-988-9200 or Toll Free: 888-988-2700 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- using signals with snort daemon Fermin Galan Marquez (Nov 20)
- DDOS Trin00 james (Nov 20)
- Re: DDOS Trin00 Phil Wood (Nov 21)
- Re: using signals with snort daemon Chris Green (Nov 20)
- Re: using signals with snort daemon Erek Adams (Nov 20)
- <Possible follow-ups>
- RE: using signals with snort daemon Steve Halligan (Nov 20)
- DDOS Trin00 james (Nov 20)