GEN:SID 1:236
Message DDOS Stacheldraht client check gag
Summary This event is generated when a Stacheldraht handler probes for a Stacheldraht agent on the destination host.
Impact Severe. This indicates that a Stacheldraht handler may exist on the source host and an agent may exist on the destination host.
Detailed Information The Stacheldraht DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. 

There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack. A handler can discover if a particular host is a Stacheldraht agent by sending it an ICMP echo reply with an ICMP identification number of 668 and a string of "gesundheit!" in the payload.
Affected Systems Any Stacheldraht compromised host.
Attack Scenarios A handler may attempt to discover if the destination host is a Stacheldraht agent. A script named "gag" can be used to generate this communication for a defender or attacker to discover if a host is a Stacheldraht agent.
Ease of Attack Simple.  The gag script is freely available.
Corrective Action Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.

Rebuild a confirmed compromised host.

Use a packet filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
Additional References Arachnids:
http://www.whitehats.com/info/IDS194
Rule References arachnids: 194