Re: Analysis of trin00

From: Stefan Aeschbacher (stefanat_private)
Date: Thu Dec 09 1999 - 00:21:51 PST

Next message: Brian Eckman: "Re: ISS Security Advisory: Buffer Overflow in Netscape Enterprise"

Previous message: Darren Reed: "FTP DoS - PORT and PASV effected."
Maybe in reply to: Dave Dittrich: "Analysis of trin00"
Next in thread: Jacob Langseth: "Re: Analysis of trin00"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi
here are some snort rules which could show the presence of a trin00
network
in the observed IP-range. This rules work only as long as the
ports/passwords/protocol aren't changed.
The rules are not tested, they rely on the paper of Dave Dittrich posted
in Bugtraq (for more information
see this great paper). If you have programs using high numbered UDP
ports some of the rules will give false alarm.
Another way to identify trin00 would be the search for the packets that
contain one of the daemon or master
commands. Unfortunately most of them are strings which are common on a
network (e.g. quit, help) but some of
them could be used to detect trin00. If you see several of this alerts,
there's probably an attack running, that's
more or less the only time this rules can detect trin00.

# Trin00 commands are sent
alert tcp any any -> 192.168.1.0/24 27665 (msg:"Trin00: Attacker to
Master";)
alert tcp any any -> 192.168.1.0/24 27665 (msg:"Trin00: Attacker to
Master (default startup pass detected!)"; content:"betaalmostdone";))
alert tcp any any -> 192.168.1.0/24 27665 (msg:"Trin00: Attacker to
Master (default r.i. pass detected!)"; content:"gOrave";))
alert tcp any any -> 192.168.1.0/24 27665 (msg:"Trin00: Attacker to
Master (default mdie pass detected!)"; content:"killme";))
alert udp any any -> 192.168.1.0/24 27444 (msg:"Trin00: Master to
Daemon";)
alert udp any any -> 192.168.1.0/24 27444 (msg:"Trin00: Master to Daemon
(default pass detected!)"; content:"l44adsl";)
alert udp any any -> 192.168.1.0/24 31335 (msg:"Trin00: Daemon to
Master";)
alert udp any any -> 192.168.1.0/24 31335 (msg:"Trin00: Daemon to Master
(*HELLO* detected)"; content:"*HELLO*";)
alert udp any any -> 192.168.1.0/24 31335 (msg:"Trin00: Daemon to Master
(PONG detected)"; content:"PONG";)
alert udp any any -> 192.168.1.0/24 31335 (msg:"Trin00: Daemon to Master
(message detected)"; content:"l44";)

Stefan Aeschbacher
--
   Stefan Aeschbacher
   Federal Institute of Technology     Where do you want to go today?
   Lausanne Switzerland
   http://www.aeschbacher.ch/stefan       - NOT in your direction! -

Next message: Brian Eckman: "Re: ISS Security Advisory: Buffer Overflow in Netscape Enterprise"
Previous message: Darren Reed: "FTP DoS - PORT and PASV effected."
Maybe in reply to: Dave Dittrich: "Analysis of trin00"
Next in thread: Jacob Langseth: "Re: Analysis of trin00"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:19:21 PDT