[Snort-users] DDOS Trin00

Phil Wood cpw at ...440...
Wed Nov 21 07:18:26 EST 2001


On Tue, Nov 20, 2001 at 05:02:33PM -0700, james wrote:
> Whitehats is down, can anyone tell me how specific the DDOS Trin00 rule is ?
> 
I can't tell you.  But, if you look over the rules, and check the content
elements, it will give you an idea.  (as an aside, make sure you are not
monitoring a network on which you backup your file systems which have the
rule sets, or you will get alerts%^).  Here are the rules as of 20010821.1454:

alert TCP $EXTERNAL any -> $INTERNAL 27665 (msg: "IDS525/ddos_ddos-trin00-attacker-to-master-gOrave"; flags: A+; content: "gOrave"; classtype: system-success; reference: arachnids,525;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS451/ftp_ftp-solaris28-formatstring"; flags: A+; content: "|901BC00F 82102017 91D02008|"; classtype: system-attempt; reference: arachnids,451;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS430/web-cgi_http-php_strings_exploit-portal-tf8"; flags: A+; content: "?STRENGUR "; classtype: system-attempt; reference: arachnids,430;)
alert UDP $EXTERNAL any -> $INTERNAL 27444 (msg: "IDS197/ddos_ddos-trin00-master-to-daemon"; content: "l44adsl"; classtype: system-success; reference: arachnids,197;)
alert UDP any any -> any 31335 (msg: "IDS187/ddos_ddos-trin00-daemon-to-master-pong"; content: "PONG"; classtype: system-success; reference: arachnids,187;)
alert TCP $EXTERNAL any -> $INTERNAL 27665 (msg: "IDS528/ddos_ddos-trin00-attacker-to-master-killme"; flags: A+; content: "killme"; classtype: system-success; reference: arachnids,528;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS431/web-cgi_http-php_strings_exploit-atstake"; flags: A+; content: "|ba49feffff f7d2 b9bfffffff f7d1|"; classtype: system-attempt; reference: arachnids,431;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS453/ftp_ftp-6350wu-formatstring-check"; flags: A+; content: "SITE EXEC |25 30 32 30 64 7C 25 2E 66 25 2E 66 7C 0A|"; depth: 32; nocase; classtype: system-attempt; reference: arachnids,453;)
alert TCP $EXTERNAL any -> $INTERNAL 27665 (msg: "IDS196/ddos_ddos-trin00-attacker-to-master"; flags: A+; content: "betaalmostdone"; classtype: system-success; reference: arachnids,196;)
alert UDP $EXTERNAL any -> $INTERNAL 31335 (msg: "IDS185/ddos_ddos-trin00-daemon-to-master"; content: "*HELLO*"; classtype: system-success; reference: arachnids,185;)
alert UDP $EXTERNAL any -> $INTERNAL 27444 (msg: "IDS186/ddos_ddos-trin00-master-to-daemon-png"; content: "png l44"; classtype: system-success; reference: arachnids,186;)
alert TCP $INTERNAL 6939 -> $EXTERNAL 1024: (msg: "IDS89/trojan_trojan-active-indoctrination"; flags: SA; classtype: system-success; reference: arachnids,89;)

> 
> James Edwards
> jamesh at ...3784...
> At the Santa Fe Office: Internet at Cyber Mesa
> Store hours: 9-6 Monday through Friday
> Phone support 365 days till 10 pm via the Santa Fe office:
> 505-988-9200 or Toll Free: 888-988-2700
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list