GEN:SID 1:250
Message DDOS mstream handler to client
Summary The event is generated when a DDoS mstream handler responds to an mstream client.
Impact Severe.  If the source IP is in your network, it is possibly an mstream handler.  If the destination IP is in your network, it is possibly an mstream client.
Detailed Information The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, clients communicate with handlers to direct them to launch attacks.  A client may contact a handler using a TCP SYN packet to destination port 15104.  A listening handler would respond to this on source port 15104 with a string of ">" in the payload.
Affected Systems Any mstream compromised host.
Attack Scenarios After a host becomes an mstream handler, the client will attempt to communicate with the handler.  A handler will respond to this communication.

Ease of Attack Simple. mstream code is freely available.
Corrective Action  
Additional References CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138

Rule References cve: 2000-0138