分布式拒绝服务攻击工具mstream(3)

　2006-07-04 20:26:53　来源：WEB开发网　　　

核心提示： alert UDP any any -> any 6838 (msg: "IDS100/ddos-mstream-agent-to-handler"; content: "newserver"; )alert UDP any any ->

alert UDP any any -> any 6838 (msg: "IDS100/ddos-mstream-agent-to-handler"; content: "newserver"; ) alert UDP any any -> any 10498 (msg: "IDS101/ddos-mstream-handler-to-agent"; content: "stream/"; ) alert UDP any any -> any 10498 (msg: "IDS102/ddos-mstream-handler-ping-to-agent" ; content: "ping";) alert UDP any any -> any 10498 (msg: "IDS103/ddos-mstream-agent-pong-to-handler" ; content: "pong";) alert TCP any any -> any 12754 (msg: "IDS109/ddos-mstream-client-to-handler"; flags: S;) alert TCP any 12754 -> any any (msg: "IDS110/ddos-mstream-handler-to-client"; content: ">"; flags: AP;) alert TCP any any -> any 15104 (msg: "IDS111/ddos-mstream-client-to-handler"; flags: S;) alert TCP any 15104 -> any any (msg: "IDS112/ddos-mstream-handler-to-client"; content: ">"; flags: AP;)

☆ 附录C - 检测mstream的RID模板

start mstream-wild send udp dport=10498 data="ping" recv udp dport=6838 data="pong" nmatch=2 end mstream-wild start mstream-published send udp dport=7983 data="ping" recv udp dport=9325 data="pong" nmatch=2 end mstream-published

scz注: 这里错误地使用了减号'-'，证明这个模板是未经验证的