GEN:SID 1:249
Message DDOS mstream client to handler
Summary The event is generated when a DDoS mstream client makes contact with an mstream handler.
Impact Severe. If the listed source IP is in your network, it is possibly an mstream client.  If the listed destination IP is in your network, it is possibly an mstream handler.
Detailed Information The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. At the highest level, clients communicate with handlers to inform them to launch attacks.  A client may contact a handler using a TCP SYN packet to destination port 15104.  
Affected Systems Any mstream compromised host.
Attack Scenarios After a host becomes an mstream handler, the client will attempt to communicate with the handler.
Ease of Attack Simple. mstream code is freely available.
Corrective Action Perform proper forensic analysis on the suspected compromised host to discover the means of compromise.

Rebuild a confirmed compromised host.

Use a packet filtering-firewall to block inappropriate traffic to the network to prevent hosts from being compromised.
Additional References CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138
Rule References cve: 2000-0138
arachnids: 111