Hi here are some snort rules which could show the presence of a trin00 network in the observed IP-range. This rules work only as long as the ports/passwords/protocol aren't changed. The rules are not tested, they rely on the paper of Dave Dittrich posted in Bugtraq (for more information see this great paper). If you have programs using high numbered UDP ports some of the rules will give false alarm. Another way to identify trin00 would be the search for the packets that contain one of the daemon or master commands. Unfortunately most of them are strings which are common on a network (e.g. quit, help) but some of them could be used to detect trin00. If you see several of this alerts, there's probably an attack running, that's more or less the only time this rules can detect trin00. # Trin00 commands are sent alert tcp any any -> 192.168.1.0/24 27665 (msg:"Trin00: Attacker to Master";) alert tcp any any -> 192.168.1.0/24 27665 (msg:"Trin00: Attacker to Master (default startup pass detected!)"; content:"betaalmo";)) alert tcp any any -> 192.168.1.0/24 27665 (msg:"Trin00: Attacker to Master (default mdie pass detected!)"; content:"killme";)) alert udp any any -> 192.168.1.0/24 27444 (msg:"Trin00: Master to Daemon";) alert udp any any -> 192.168.1.0/24 27444 (msg:"Trin00: Master to Daemon (default pass detected!)"; content:"l44adsl";) alert udp any any -> 192.168.1.0/24 31335 (msg:"Trin00: Daemon to Master";) alert udp any any -> 192.168.1.0/24 31335 (msg:"Trin00: Daemon to Master (*HELLO* detected)"; content:"*HELLO*";) alert udp any any -> 192.168.1.0/24 31335 (msg:"Trin00: Daemon to Master (PONG detected)"; content:"PONG";) alert udp any any -> 192.168.1.0/24 31335 (msg:"Trin00: Daemon to Master (message detected)"; content:"l44";) Stefan Aeschbacher -- Stefan Aeschbacher Federal Institute of Technology Where do you want to go today? Lausanne Switzerland http://www.aeschbacher.ch/stefan - NOT in your direction! -