GEN:SID 1:222
Message DDOS tfn2k icmp possible communication
Summary This event is generated when ICMP traffic is sent between Tribe Flood Network 2000 (TFN2K) hosts.
Impact Attempted DDoS. It is possible there is a TFN2K host in your network.
Detailed Information When TFN2K hosts communicate using ICMP, they may use an ICMP echo reply with an ICMP identification number of 0 and with a sequence of A's in the payload.  The tell-tale sequence of A's is a problem with the Base 64 encoding that was employed.  
Affected Systems Any TFN2K infected host.
Attack Scenarios TFN2K hosts communicate with each other for various reasons for the ultimate purpose of attacking a target.
Ease of Attack Simple. TFN2K is freely available.
Corrective Action Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.

Rebuild a confirmed compromised host.

Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
Additional References Arachnids:
http://www.whitehats.com/info/IDS425
Rule References arachnids: 425