ddos.rules

This is the snapshot of Snot Latest Rules

# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
#
# This file may contain proprietary rules that were created, tested and
# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
# rules that were created by Sourcefire and other third parties and
# distributed under the GNU General Public License (the "GPL Rules").  The
# VRT Certified Rules contained in this file are the property of
# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# The GPL Rules created by Sourcefire, Inc. are the property of
# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
# Reserved.  All other GPL Rules are owned and copyrighted by their
# respective owners (please see www.snort.org/contributors for a list of
# owners and their respective copyrights).  In order to determine what
# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
# Certified Rules License Agreement.
#
#
# $Id: ddos.rules,v 1.31.6.7 2008/03/07 20:53:40 vrtbuild Exp $
#-----------
# DDOS RULES
#-----------

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN Probe"; icmp_id:678; itype:8; content:"1234"; metadata:policy balanced-ips drop, policy security-ips drop; reference:arachnids,443; reference:cve,2000-0138; classtype:attempted-recon; sid:221; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS tfn2k icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA"; metadata:policy balanced-ips drop, policy security-ips drop; reference:arachnids,425; reference:cve,2000-0138; classtype:attempted-dos; sid:222; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET [31335,35555] (msg:"DDOS Trin00 Daemon to Master PONG message detected"; flow:to_server; content:"PONG"; metadata:policy balanced-ips drop, policy security-ips drop; reference:arachnids,187; reference:cve,2000-0138; classtype:attempted-recon; sid:223; rev:8;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN client command BE"; icmp_id:456; icmp_seq:0; itype:0; pcre:"/^[0-9]{1,5}\x00/"; metadata:policy balanced-ips drop, policy security-ips drop; reference:arachnids,184; reference:cve,2000-0138; classtype:attempted-dos; sid:228; rev:7;)


alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"DDOS shaft client login to handler"; flow:from_server,established; content:"login|3A|"; metadata:policy security-ips drop; reference:arachnids,254; reference:cve,2000-0138; reference:url,security.royans.net/info/posts/bugtraq_ddos3.shtml; classtype:attempted-dos; sid:230; rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (msg:"DDOS shaft handler to agent"; flow:to_server; content:"alive tijgu"; metadata:policy balanced-ips drop, policy security-ips drop; reference:arachnids,255; reference:cve,2000-0138; classtype:attempted-dos; sid:239; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (msg:"DDOS shaft agent to handler"; flow:to_server; content:"alive"; metadata:policy balanced-ips drop, policy security-ips drop; reference:arachnids,256; reference:cve,2000-0138; classtype:attempted-dos; sid:240; rev:6;)
# alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood"; flow:stateless; flags:S,12; seq:674711609; metadata:policy security-ips drop; reference:arachnids,253; reference:cve,2000-0138; classtype:attempted-dos; sid:241; rev:11;)




alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master message detected"; flow:to_server; content:"l44"; metadata:policy security-ips drop; reference:arachnids,186; reference:cve,2000-0138; classtype:attempted-dos; sid:231; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master *HELLO* message detected"; flow:to_server; content:"*HELLO*"; metadata:policy balanced-ips drop, policy security-ips drop; reference:arachnids,185; reference:cve,2000-0138; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; metadata:policy balanced-ips drop, policy security-ips drop; reference:arachnids,197; reference:cve,2000-0138; classtype:attempted-dos; sid:233; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default password"; flow:established,to_server; content:"gOrave"; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2000-0138; classtype:attempted-dos; sid:234; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default mdie password"; flow:established,to_server; content:"killme"; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2000-0138; classtype:bad-unknown; sid:235; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"DDOS Trin00 Master to Daemon default password attempt"; flow:to_server; content:"l44adsl"; metadata:policy balanced-ips drop, policy security-ips drop; reference:arachnids,197; reference:cve,2000-0138; classtype:attempted-dos; sid:237; rev:6;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS TFN server response"; icmp_id:123; itype:0; content:"shell bound"; metadata:policy balanced-ips drop, policy security-ips drop; reference:arachnids,182; reference:cve,2000-0138; classtype:attempted-dos; sid:238; rev:10;)



alert udp $EXTERNAL_NET any -> $HOME_NET 6838 (msg:"DDOS mstream agent to handler"; flow:to_server; content:"newserver"; metadata:policy security-ips drop; reference:cve,2000-0138; classtype:attempted-dos; sid:243; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler to agent"; flow:to_server; content:"stream/"; metadata:policy security-ips drop; reference:cve,2000-0138; classtype:attempted-dos; sid:244; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler ping to agent"; flow:to_server; content:"ping"; metadata:policy security-ips drop; reference:cve,2000-0138; classtype:attempted-dos; sid:245; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream agent pong to handler"; flow:to_server; content:"pong"; metadata:policy security-ips drop; reference:cve,2000-0138; classtype:attempted-dos; sid:246; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"DDOS mstream client to handler"; flow:to_server,established; content:">"; metadata:policy security-ips drop; reference:cve,2000-0138; classtype:attempted-dos; sid:247; rev:5;)
alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:to_client,established; content:">"; metadata:policy security-ips drop; reference:cve,2000-0138; classtype:attempted-dos; sid:248; rev:5;)
# alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:from_server,established; content:">"; metadata:policy security-ips drop; reference:cve,2000-0138; classtype:attempted-dos; sid:250; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS - TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; pcre:"/^[0-9]{1,5}\x00/"; metadata:policy balanced-ips drop, policy security-ips drop; reference:arachnids,183; reference:cve,2000-0138; classtype:attempted-dos; sid:251; rev:7;)


alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server spoof"; icmp_id:666; itype:0; metadata:policy balanced-ips drop, policy security-ips drop; reference:arachnids,193; reference:cve,2000-0138; classtype:attempted-dos; sid:224; rev:6;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht gag server response"; icmp_id:669; itype:0; content:"sicken"; metadata:policy balanced-ips drop, policy security-ips drop; reference:arachnids,195; reference:cve,2000-0138; classtype:attempted-dos; sid:225; rev:9;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken"; metadata:policy balanced-ips drop, policy security-ips drop; reference:arachnids,191; reference:cve,2000-0138; classtype:attempted-dos; sid:226; rev:9;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client spoofworks"; icmp_id:1000; itype:0; content:"spoofworks"; metadata:policy balanced-ips drop, policy security-ips drop; reference:arachnids,192; reference:cve,2000-0138; classtype:attempted-dos; sid:227; rev:9;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check gag"; icmp_id:668; itype:0; content:"gesundheit!"; metadata:policy balanced-ips drop, policy security-ips drop; reference:arachnids,194; reference:cve,2000-0138; classtype:attempted-dos; sid:236; rev:9;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check skillz"; icmp_id:666; itype:0; content:"skillz"; metadata:policy balanced-ips drop, policy security-ips drop; reference:arachnids,190; reference:cve,2000-0138; classtype:attempted-dos; sid:229; rev:8;)
alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht handler->agent niggahbitch"; icmp_id:9015; itype:0; content:"niggahbitch"; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2000-0138; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1854; rev:10;)
alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht agent->handler skillz"; icmp_id:6666; itype:0; content:"skillz"; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2000-0138; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1855; rev:10;)
alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht handler->agent ficken"; icmp_id:6667; itype:0; content:"ficken"; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2000-0138; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1856; rev:10;)