Date: Fri, 31 Dec 1999 11:06:05 -0800 From: Max Vision <vision@WHITEHATS.COM> Subject: Re: Analysis of "stacheldraht" + arachNIDS To: BUGTRAQ@SECURITYFOCUS.COM On Fri, 31 Dec 1999, Dave Dittrich wrote: > http://staff.washington.edu/dittrich/misc/stacheldraht.analysis > Hello, I have written seven IDS signatures that detect the default configuration of stacheldraht, as presented in Dave's excellent writeup. They are available at Whitehats and below in this email. This is probably a good opportunity to introduce my free IDS signature database project, arachNIDS. [ http://whitehats.com/ ] arachNIDS is the Advanced Reference Archive of Current Heuristics for Network Intrusion Detection Systems - CVE and BugtraqID compatible/searchable. The database can be used as a tool for research, or IDS signatures can be exported for use in free IDS such as Snort. The intent of this open/free database is to raise the bar on modern intrusion detection systems by bringing full-disclosure to IDS. arachNIDS is a work in progress, and contributions are very welcome. I have also created a Intrusion Event description form that, as you fill in packet information, dynamically creates an appropriate signature. Please visit the site for details. signatures: alert TCP $EXTERNAL any -> $INTERNAL 16660 (msg: "stacheldraht client"; flags: S;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "stacheldraht client-check"; content: "skillz"; itype: 0; icmp_id: 666;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "stacheldraht client-check-gag"; content: "gesundheit!"; itype: 0; icmp_id: 668;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "stacheldraht client-spoofworks"; content: "spoofworks"; itype: 0; icmp_id: 1000;) alert ICMP $INTERNAL any -> $EXTERNAL any (msg: "stacheldraht server-response"; content: "ficken"; itype: 0; icmp_id: 667;) alert ICMP $INTERNAL any -> $EXTERNAL any (msg: "stacheldraht server-response-gag"; content: "sicken"; itype: 0; icmp_id: 669;) alert ICMP 3.3.3.3/32 any -> any any (msg: "stacheldraht server-spoof"; itype: 0; icmp_id: 666;) "Whitehats is a resource to help network and security administrators by offering free software and community support. This site features the world's first open Intrusion Detection database, arachNIDS." Max Vision Network Security Architect http://whitehats.com/ <- free tools, forums, and IDS database http://maxvision.net/