1856.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--
Sid:
1856

--
Summary:
This event is generated when activity indicating the presence of a
variant of the Stacheldraht DDOS tool is detected.

--
Impact:
Distributed Denial of Service (DDoS) is possible.

--
Detailed Information:
Stracheldraht is a Distributed denial of service tool normally found on
Sun Solaris machines. It is made up of a Client, handler and agent. The
clients connects to the handler. Handlers can connect with up to 1000
agents. Communication between the client and the handler is conducted
using tcp and the communication between the handler and the agent can be
either tcp or icmp_echoreply. This rule detects the message sent from
the handler to the agent. This message is used to respond to a agent
message "skillz". The handler will reply with the string "ficken". This
traffic differs from the traffic described on
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis because
the packets have an icmp id of 6667 rather than 667 as noted in the analysis.

--
Affected Systems:
	Sun Solaris

--
Attack Scenarios:
The agent can be used to mount a distributed denial of service attack. It
also indicates that a machine is compromised.

--
Ease of Attack:
Simple.

--
False Positives:
None known.

--
False Negatives:
The icmp id along with the keywords may be changed in the
source code which would then evade this rule.

--
Corrective Action:
Disconnect power from the machine and perform forensic analysis on the
hard drives.

--
Contributors:
Snort documentation contributed by Ian Macdonald
Sourcefire Vulnerability Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

--