TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
363
attacks, as well as providing an "on demand" root shell bound to a TCP port. TFN is currently being developed and
tested on a large number of compromised Unix systems on the Internet, along with another distributed denial of service
tool named "trinoo". This event detects when the ICMP contains icmptype is 0.
Signature ID: 4087
Trin00 DDOS attack traffic detection
Threat Level: Severe
Industry ID: CVE-2000-0138
Signature Description: Trin00 is a distributed denial of service attack tool. Denial of service attacks can crash the target
system. Trin00 allows an attacker to control several hosts to make them send a UDP flood to another host. Trin00 client
program controls several servers (aka "masters" or "handlers") and several agents (aka "daemons" or "zombies"). Both
the masters and daemons are systems that are remote to the client and have been infiltrated and compromised by
installation of Trin00 master or daemon programs. Thus, the true source of the attack is nearly untraceable. The Trin00
master can make several requests to the Trin00 daemon. These include instructions to start/stop flooding a host with
UDP packets and instruction to Change the UDP flood configuration of the daemon. This signature detects Trin00
master password to control "mdie" command.
Signature ID: 4088
Trin00 DDOS attack traffic detection
Threat Level: Severe
Industry ID: CVE-2000-0138 Nessus: 10501
Signature Description: Trin00 is a distributed denial of service attack tool. Denial of service attacks can crash the target
system. Trin00 allows an attacker to control several hosts to make them send a UDP flood to another host. Trin00 client
program controls several servers (aka "masters" or "handlers") and several agents (aka "daemons" or "zombies"). Both
the masters and daemons are systems that are remote to the client and have been infiltrated and compromised by
installation of Trin00 master or daemon programs. Thus, the true source of the attack is nearly untraceable. The Trin00
master can make several requests to the Trin00 daemon. These include instructions to start/stop flooding a host with
UDP packets and instruction to Change the UDP flood configuration of the daemon. This signature detects Trin00
master server startup password.
Signature ID: 4089
DDOS Trin00 Daemon to Master *HELLO* message
Threat Level: Severe
Industry ID: CVE-2000-0138
Nessus: 10501
Signature Description: Trin00 is a distributed denial of service attack tool. Denial of service attacks can crash the target
system. Trin00 allows an attacker to control several hosts to make them send a UDP flood to another host. Trin00 client
program controls several servers (aka "masters" or "handlers") and several agents (aka "daemons" or "zombies"). Both
the masters and daemons are systems that are remote to the client and have been infiltrated and compromised by
installation of Trin00 master or daemon programs. Thus, the true source of the attack is nearly untraceable. The Trin00
master can make several requests to the Trin00 daemon. These include instructions to start/stop flooding a host with
UDP packets and instruction to Change the UDP flood configuration of the daemon. This signature detects Trin00
master server 'HELLO' message.
Signature ID: 4090
DDOS Trin00 Daemon to Master PONG message
Threat Level: Severe
Industry ID: CVE-2000-0138
Nessus: 10501
Signature Description: Trin00 is a distributed denial of service attack tool. Denial of service attacks can crash the target
system. Trin00 allows an attacker to control several hosts to make them send a UDP flood to another host. Trin00 client
program controls several servers (aka "masters" or "handlers") and several agents (aka "daemons" or "zombies"). Both