--
Rule:
alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS
Trin00\:DaemontoMaster(*HELLO*detected)"; content:"*HELLO*";
reference:arachnids,185;
reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm;
classtype:attempted-dos; sid:232; rev:2;) 

--
Sid:
232

--
Summary:
An "I've alive" packet for the Trinoo DDos suite was
detected between a trin00 client to the trin00 master.

--
Impact:
Possible system compromise and/or Denial of Service.

--
Detailed Information:
Trin00 is a Distributed Denial of Service tool.  Once the Trin00
client has been installed on a compromised machine, it sends a packet
to port 31335 of the master daemon containing the text "*HELLO*"
indicating that it is alive and ready for commands.

--
Attack Scenarios:
As part of a large scale attack against a machine or a network, an
attacker will compromise large numbers of machines which will form the
army that the trin00 master daemon will command.  The master daemon
typically instructs the clients to send considerable amounts of packets to
a set of victim hosts.  If the traffic is sufficient, the victim
machines will become resource deprived.

--
Ease of Attack:
Medium.  Use of this tool requires a compromised system from which to
to run (unless you choose to just run it on your own machine).  Once a
machine has been comprimsed, all that is required to become part of the
trin00 network is proper permissions and a network connection. 

--
False Positives:
Rare.  The current version of trin00 ships with a configuration
sending a HELLO packet over udp to port 31335.  Communication via udp
to such a high port is fairly uncommon.  That, coupled with the
*HELLO* string, make this rule fairly foolproof.

--
False Negatives:
Rare unless newer versions change port/protocol/message.

--
Corrective Action:
Disconnect your machine(s) from the network immediately.  Attempt to
determine if your machine was being used as part of a trin00 network.
This may be difficult, given that the system has likely been
compromised and had a root kit installed.   

--
Contributors:
Warchild <warchild@spoofed.org> Initial Research
Josh Gray	Edits

-- 
Additional References:
http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt
http://staff.washington.edu/dittrich/misc/ddos/
http://www.sans.org/newlook/resources/IDFAQ/trinoo.htm

