ddos-lib

网络入侵检测系统的原代码,是对snort的进一步改进和完善

# $Id: ddos-lib,v 1.2 2000/11/18 08:25:04 roesch Exp $

alert tcp any any -> any 15104 (msg: "IDS111 - DDoS - mstream client to handler"; flags: S;) 
alert tcp any 12754 -> any any (msg: "IDS110 - DDoS - mstream handler to client"; content: ">"; flags: AP;) 
alert tcp any any -> any 12754 (msg: "IDS110 - DDoS - mstream client to handler"; content: ">"; flags: AP;) 
alert udp any any -> any 10498 (msg: "IDS103 - DDoS - mstream agent pong to handler" ; content: "pong";) 
alert udp any any -> any 10498 (msg: "IDS102 - DDoS - mstream handler ping to agent" ; content: "ping";) 
alert udp any any -> any 10498 (msg: "IDS101- DDoS - mstream handler to agent"; content: "stream/"; ) 
alert udp any any -> any 6838 (msg: "IDS100 - DDoS - mstream agent to handler"; content: "newserver"; ) 
alert tcp any 15104 -> any any (msg: "IDS112 - DDoS - mstream handler to client"; content: ">"; flags: AP;) 
alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDoS - Trin00 Attacker to Master-default mdie pass detected!";flags:PA; content:"killme";) 
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS194 - DDoS - Stacheldraht client-check-gag"; content: "|67 65 73 75 6E 64 68 65 69 74 21|"; itype: 0; icmp_id: 668;) 
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS190 - DDoS - Stacheldraht client-check"; content: "|73 6B 69 6C 6C 7A|"; itype: 0; icmp_id: 666;) 
alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"IDS187 - DDoS - Trin00:DaemontoMaster(PONGdetected)"; content:"PONG";) 
alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"IDS186 - DDoS - Trin00:DaemontoMaster(messagedetected)"; content:"l44";) 
alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"IDS185 - DDoS - Trin00:DaemontoMaster(*HELLO*detected)"; content:"*HELLO*";) 
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS192 - DDoS - Stacheldraht client-spoofworks"; content: "|73 70 6F 6F 66 77 6F 72 6B 73|"; itype: 0; icmp_id: 1000;) 
alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDoS - Trin00 Attacker to Master defaultr.i.passdetected!";flags:PA; content:"gOrave";) 
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS182 - DDoS - TFN server response"; content: "|73 68 65 6C 6C 20 62 6F 75 6E 64 20 74 6F 20 70 6F 72 74|"; itype: 0; icmp_id: 123; icmp_seq: 0;) 
alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"IDS196 - DDoS - Trin00:Attacker to Master default startup pass detected!";flags:PA; content:"betaalmostdone";) 
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"IDS191 - DDoS - Stacheldraht server-response"; content: "|66 69 63 6B 65 6E|"; itype: 0; icmp_id: 667;) 
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"IDS195 - DDoS - Stacheldraht server-response-gag"; content: "|73 69 63 6B 65 6E|"; itype: 0; icmp_id: 669;) 
alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"IDS193 - DDoS - Stacheldraht server-spoof"; itype: 0; icmp_id: 666;) 
alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"IDS197 - DDoS - Trin00:MastertoDaemon(defaultpassdetected!)"; content:"l44adsl";) 
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS183 - DDoS - TFN client command LE"; itype: 0; icmp_id: 51201; icmp_seq: 0;) 
alert tcp $EXTERNAL_NET any -> $HOME_NET 20432 (msg:"IDS254 - DDoS shaft client to handler"; flags: AP;) 
alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (msg:"IDS255 - DDoS shaft handler to agent"; content: "alive tijgu";) 
alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (msg:"IDS256 - DDoS shaft agent to handler"; content: "alive";) 
alert tcp $HOME_NET :1024 -> $EXTERNAL_NET any (msg:"IDS253 - DDoS shaft synflood outgoing"; flags: S; seq: 674711609;) 
alert tcp $EXTERNAL_NET :1024 -> $HOME_NET any (msg:"IDS252 - DDoS shaft synflood incoming"; flags: S; seq: 674711609;) 
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS184 - DDoS - TFN client command BE"; itype: 0; icmp_id: 456; icmp_seq: 0;)