GEN:SID 1:240
Message DDOS shaft agent to handler
Summary This event is generated when a DDoS Shaft agent communicates with a Shaft handler.  It is also possible that this event may be generated when any host attempts to discover a Shaft handler.  
Impact Attempted DDoS. If the listed source IP is in your network, it may be a Shaft agent or a host attempting to discover Shaft handlers.  If the listed destination IP is in your network, it may be a Shaft handler.
Detailed Information The Shaft DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Handlers communicate with agents to direct them to launch attacks. An agent may communicate with a handler using a UDP packet to destination port 20433 with a content of "alive".
Affected Systems Any Shaft compromised host.
Attack Scenarios A Shaft agent needs to communicate with a handler before it is given directions to launch an attack.
Ease of Attack Simple. Shaft code is freely available.
Corrective Action Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.

Rebuild a confirmed compromised host.

Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.

Additional References Arachnids:
http://www.whitehats.com/info/IDS256

Miscellaneous:
http://biocserver.cwru.edu/~jose/shaft_analysis/

Rule References arachnids: 256