TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

361

362

363

364

365

366

367

368

369

370

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

364

the masters and daemons are systems that are remote to the client and have been infiltrated and compromised by

installation of Trin00 master or daemon programs. Thus, the true source of the attack is nearly untraceable. The Trin00

master can make several requests to the Trin00 daemon. These include instructions to start/stop flooding a host with

UDP packets and instruction to Change the UDP flood configuration of the daemon. This signature detects Trin00

master server 'PONG' message.

Signature ID: 4091

DDOS Trin00 Daemon to Master message

Threat Level: Severe

Industry ID: CVE-2000-0138 Nessus: 10501

Signature Description: Trin00 is a distributed denial of service attack tool. Denial of service attacks can crash the target

system. Trin00 allows an attacker to control several hosts to make them send a UDP flood to another host. Trin00 client

program controls several servers (aka "masters" or "handlers") and several agents (aka "daemons" or "zombies"). Both

the masters and daemons are systems that are remote to the client and have been infiltrated and compromised by

installation of Trin00 master or daemon programs. Thus, the true source of the attack is nearly untraceable. The Trin00

master can make several requests to the Trin00 daemon. These include instructions to start/stop flooding a host with

UDP packets and instruction to Change the UDP flood configuration of the daemon.

Signature ID: 4092

Request to Trojan/backdoorTrin00 Server

Threat Level: Severe

Industry ID: CVE-2000-0138 CVE-1999-0660 Nessus:

10288,10024,10152,10151,10409,10053,10270,10501,10307,10350,10920,10921,10501

Signature Description: The Unix version of trin00 listens by default on port 27444. Trin00 is a trojan that can be used

to control your system or make it attack another network (this is actually called a distributed denial of service attack

tool) It is very likely that this host has been compromised. In the Unix version of trin00, it is possible to retrieve the IP

address of the master by examining the binary executable.

Signature ID: 4093

DDOS tool Mstream agent's 'pong' to the handler DOS vulnerability

Threat Level: Warning

Industry ID: CVE-2000-0138

Signature Description: Mstream is a distributed denial of service attack tool. Denial of service attacks can crash the

target system. The mstream network, like trinoo and shaft, is made up of one or more handlers and a large set of agents.

An attacker sends instructions to handlers which in turn control the agents. Hence, the true source of the attack is nearly

untraceable. Attacker to handler communication is at present unencrypted over TCP, with handler to agent

communication unencrypted over UDP. This rule detects mstream agent response(pong) to an mstream handler's "ping"

request.

Signature ID: 4094

Mstream agent to handler DDOS vulnerability

Threat Level: Warning

Industry ID: CVE-2000-0138

Nessus: 10501

Signature Description: Mstream is a distributed denial of service attack tool. Denial of service attacks can crash the

target system. The mstream network, like trinoo and shaft, is made up of one or more handlers and a large set of agents.

An attacker sends instructions to handlers which in turn control the agents. Hence, the true source of the attack is nearly

untraceable. Attacker to handler communication is at present unencrypted over TCP, with handler to agent

communication unencrypted over UDP. This signature detects the mstream handler communication with a client over

port 6838.