[Snort-sigs] Stacheldraht Sigs

Ian Macdonald secsnortsigs at ...644...
Wed Aug 7 09:48:03 EDT 2002


Here are some new signatures based on traffic caught in the wild. The rules
are bydirectional since the massages could be coming from a compromised
machine with a handler on it or an agent on it. Also these rules are
different from existing ones, the icmp_id is different for this varient.

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:
alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht
handler->agent (niggahbitch)"; content: "|6E 69 67 67 61 68 62 69 74 63
68|"; itype: 0; icmp_id: 9015; reference:arachnids,191;
classtype:attempted-dos; sid:XXX; rev:1;)
--
Sid:
--
Summary:
Varient of Stacheldraht DDOS tool
--
Impact:
Likely you have a compromised machine and your machine is being used as a
ddos zombie.
--
Detailed Information:
This signature is based on traffic caught in the wild. Stracheldraht is a
Distributed denial of service tool normally found on Sun Solaris machines.
It is made up of a Client, handler and agent. The clients connects to the
handler. Handlers can connect with up to 1000 agents. Communication between
the client and the handler is conducted using tcp and the communication
between the handler and the agent can be either tcp or icmp_echoreply. This
signature detects the a message sent from the handler to the agent. This
traffic differs from the traffic described on
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis because the
packets have an icmp id of 9015 rather than 1000 as noted in the analysis.

--
Attack Scenarios:
The agent can be used to mount a distributed denial of service attack. It
also means that a machine is compromised.
--
Ease of Attack:

--
False Positives: Should be any.
--
False Negatives: The icmp id along with the keywords may be changed in the
source code to hide this traffic from beng detected
--
Corrective Action:
Take the machine off line asap and rebuild with a completely new install.
--
Contributors:
Ian Macdonald
--
Additional References:
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
arachnids,191
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?id=advise43


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:
alert icmp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS Stacheldraht
agent->handler (skillz)"; content: "|73 6B 69 6C 6C 7A|"; itype: 0; icmp_id:
6666; reference:arachnids,191; classtype:attempted-dos; sid:XXX; rev:1;)
--
Sid:
--
Summary:
Varient of Stacheldraht DDOS tool
--
Impact:
Likely you have a compromised machine and your machine is being used as a
ddos zombie
--
Detailed Information:
This signature is based on traffic caught in the wild. Stracheldraht is a
Distributed denial of service tool normally found on Sun Solaris machines.
It is made up of a Client, handler and agent. The clients connects to the
handler. Handlers can connect with up to 1000 agents. Communication between
the client and the handler is conducted using tcp and the communication
between the handler and the agent can be either tcp or icmp_echoreply. This
signature detects the a message sent from the agent to the handler. This
message is used to tell the handler that the machine is still alive and able
to take requests. The handler will then reply with the string "ficken". This
traffic differs from the traffic described on
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis because the
packets have an icmp id of 6666 rather than 666 as noted in the analysis.

--
Attack Scenarios:
The agent can be used to mount a distributed denial of service attack. It
also means that a machine is compromised.
--
Ease of Attack:

--
False Positives: Should be any.
--
False Negatives: The icmp id along with the keywords may be changed in the
source code to hide this traffic from beng detected
--
Corrective Action:
Take the machine off line asap and rebuild with a completely new install.
--
Contributors:
Ian Macdonald
--
Additional References:
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
arachnids,191
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?id=advise43

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:
alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht
handler->agent (ficken)"; content: "|66 69 63 6B 65 6E|"; itype: 0; icmp_id:
6667; reference:arachnids,191; classtype:attempted-dos; sid:XXX; rev:1;)
--
Sid:
--
Summary:
Varient of Stacheldraht DDOS tool
--
Impact:
Likely you have a compromised machine and your machine is being used as a
ddos zombie
--
Detailed Information:
This signature is based on traffic caught in the wild. Stracheldraht is a
Distributed denial of service tool normally found on Sun Solaris machines.
It is made up of a Client, handler and agent. The clients connects to the
handler. Handlers can connect with up to 1000 agents. Communication between
the client and the handler is conducted using tcp and the communication
between the handler and the agent can be either tcp or icmp_echoreply. This
signature detects the a message sent from the handler to the agent. This
message is used to respond to a agent message "skillz". The handler will
reply with the string "ficken". This traffic differs from the traffic
described on http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
because the packets have an icmp id of 6667 rather than 667 as noted in the
analysis.

--
Attack Scenarios:
The agent can be used to mount a distributed denial of service attack. It
also means that a machine is compromised.
--
Ease of Attack:

--
False Positives: Should be any.
--
False Negatives: The icmp id along with the keywords may be changed in the
source code to hide this traffic from beng detected
--
Corrective Action:
Take the machine off line asap and rebuild with a completely new install.
--
Contributors:
Ian Macdonald
--
Additional References:
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
arachnids,191
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?id=advise43






More information about the Snort-sigs mailing list