GEN:SID 1:251
Message DDOS - TFN client command LE
Summary This event is generated when a command is sent to a Tribal Flood Network
(TFN) Distributed Denial of Service (DDoS) daemon.
Impact Attempted DDoS.  If the listed source IP is in your network, it may be a
TFN client.  If the listed destination IP is in your network, it may be
a TFN daemon.
Detailed Information The TFN DDoS uses a tiered structure of compromised hosts to coordinate
and participate in a distributed denial of service attack. Clients
communicate with daemons to inform them to launch attacks.

This event is indicative of a client sending commands to a daemon.
Affected Systems Any TFN compromised host.
Attack Scenarios After a host becomes a TFN daemon, it will respond to client requests.
Ease of Attack Simple. TFN code is freely available.
Corrective Action Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.

Rebuild a confirmed compromised host.

Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
Additional References CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138

Arachnids:
http://www.whitehats.com/info/IDS183
Rule References arachnids: 183