586 Appendix A • Cisco IDS Sensor Signatures ■ 6197-rpc yppaswdd overflow:This alarm fire when an overflow attempt is detected when sent to yppaswdd RCP-based application. ■ 6198-rwalld String Format: This signature fires if an unusually long mes- sage is detected being sent to the RPC service rwalld. ■ 6199-cachefsd Overflow:This alarm fire when an overflow attempt is detected when sent to cachefsd, an RCP-based application. ■ 6200-Ident Buffer Overflow:This signature fires when a server returns an IDENT reply that is too large. ■ 6201-Ident Newline:This signature fires when a server returns an IDENT reply that includes a newline followed by more data. ■ 6210-LPRng format String Overflow: Alarms when an the first lpr com- mand in a datastream is invalid (first byte != 1-9 ascii) and the length to the first LF is greater than 256. ■ 6250-FTP Authorization Failure:This signature fires when a user has failed to authenticate three times in a row, while trying to establish an FTP ses- sion. ■ 6251-Telnet Authorization Failure:This signature fires when a user has failed to authenticate three times in a row, while trying to establish a telnet session. ■ 6252-Rlogin Authorization Failure:This signature fires when a user has failed to authenticate three times in a row, while trying to establish an rlogin session. ■ 6253-POP3 Authorization Failure:This signature fires when a user has failed to authenticate three times in a row, while trying to establish a POP3 ses- sion. ■ 6255-SMB Authorization Failure:This signature fireswhen a client fails Windows NTs (or Sambas) user authentication three or more consecutive times within a single SMB session. ■ 6256- HTTP Authorization Failure:This signature fires when a user has failed to authenticate three times in a row, while trying to log into a secured HTTP website. ■ 6275-SGI fam Attempt:This signature detects accesses to the SGI fam RPC daemon. Attackers can use this service to gain information about files on the vulnerable system. www.syngress.com 267_cssp_ids_appx.qxd 9/30/03 5:35 PM Page 586 Cisco IDS Sensor Signatures • Appendix A 587 ■ 6276-TooltalkDB overflow:This signature will alarm upon detecting an rpc connection to rpc program number 100083 using procedure 103 with an buffer greater than 1024. ■ 6277-Show Mount Recon:This signature alarms upon detecting an RPC call to show all mounts on an NFS server. ■ 6300-Loki ICMP Tunneling: Loki is a tool designed to run an interactive session that is hidden within ICMP traffic. ■ 6302-General Loki ICMP Tunneling:This signature fires when an imbalance of ICMP echo replies to echo requests is detected. ■ 6350-SQL Query Abuse: This signature fires if a select query is issued using the OPENROWSET() function with an ad hoc exec statement in it. ■ 6500-RingZero Trojan:The RingZero Trojan consists of an information transfer (ITS) agent and a port scanning (PST) agent. ■ 6501-TFN Client Request:TFN clients and servers by default, communi- cate using ICMP echo reply packets.This signature looks for ICMP echo reply packets containing potential TFN commands sent from a TFN CLIENT —TO-> a SERVER. ■ 6502-TFN Server Reply:TFN clients and servers by default, communicate using ICMP echo reply packets.This signature looks for ICMP echo reply packets containing potential TFN commands sent from a TFN SERVER — TO-> CLIENT. ■ 6503-Stacheldraht Client Request: Stacheldraht clients and servers by default, communicate using ICMP echo reply packets.This signature looks for ICMP echo reply packets containing potential commands sent from a Stacheldraht CLIENT —TO—> SERVER. ■ 6504-Stacheldraht Server Reply: Stacheldraht clients and servers by default, communicate using ICMP echo reply packets.This signature looks for ICMP echo reply packets containing potential commands sent from a Stacheldraht SERVER —TO—> CLIENT. ■ 6505-Trinoo Client Request:Trinoo clients communicate by default on UDP port 27444 using a default command set. ■ 6506-Trinoo Server Reply:Trinoo servers reply to clients by default on UDP port 31335 using a default command set. www.syngress.com 267_cssp_ids_appx.qxd 9/30/03 5:35 PM Page 587 588 Appendix A • Cisco IDS Sensor Signatures ■ 6507-TFN2K Control Traffic:TFN2K is a Distributed Denial of Service tool. ■ 6508-Mstream Control Traffic:This signature identifies the control traffic between both the attacker <-> client (aka handler), and between the client (aka handler) <-> server (aka agent or daemon). ■ 6901-Net Flood ICMP Reply:This signature fires when a configurable threshold for ICMP Type 0 (Echo Reply) traffic is crossed. ■ 6902-Net Flood ICMP Request:This signature fires when a configurable threshold for ICMP Type 8 (Echo Request) traffic is crossed. ■ 6903-Net Flood ICMP Any:This signature fires when a configurable threshold for all ICMP traffic is crossed. ■ 6910-Net Flood UDP:This signature fires when a configurable threshold for all UDP traffic is crossed. ■ 6920-Net Flood TCP:This signature fires when a configurable threshold for all TCP traffic is crossed. NOTE By default, signatures 6901, 6902, 6903, 6910, and 6920 are disabled. To use either or all of these signatures first enable them, set the “Rate” param- eter to zero, and run for a period of time. This is what is called diagnostic mode. They are a tremendous resource hog and should not be left on. ARP signature series 7000 series The 7000 series covers all ARP type traffic. Do not look for any of these in software versions prior to 4.0. ■ 7101-ARP Source Broadcast:The sensor saw ARP packets with an ARP payload Source MAC broadcast address. ■ 7102-ARP Reply-to-Broadcast:The sensor saw an ARP Reply packet with its payload Destination MAC containing a broadcast address. www.syngress.com 267_cssp_ids_appx.qxd 9/30/03 5:35 PM Page 588 Cisco IDS Sensor Signatures • Appendix A 589 ■ 7104-ARP MacAddress-Flip-Flop-Response:The sensor saw a set of ARP response packets where the ARP payload Mac-to-Ip mapping changed more than MacFlip number of times. ■ 7105-ARP Inbalance-of-Requests:The sensor saw many more requests than it saw replies for an IP address out of the ARP payload. NOTE The 7000 series signatures are only available in Cisco IDS versions 4.0 and newer. String Matching signature series 8000 series These signatures are highly configurable. They allow you to look for specific strings in the payload of a packet. If an attack is underway and there is not already a signa- ture for it, a temporary string match can be put in place to help mitigate some of the risk. ■ 8000:2101-FTP Retrieve Password File: This signature fires on string passwd issued during an FTP session. ■ 8000:2302-Telnet-/etc/shadow Match: This signature fires on string /etc/shadow issued during a telnet session. ■ 8000:2303-Telnet-+ +: This signature fires on string + + issued during a telnet session. ■ 8000:51301-Rlogin-IFS Match:This signature fires when an attempt to change the IFS to / is done during a rlogin session. ■ 8000:51302-Rlogin-/etc/shadow Match: This signature fires on string /etc/shadow issued during a rlogin session. ■ 8000:51303-Rlogin-+ + : This signature fires on string + + issued during a rlogin session. www.syngress.com 267_cssp_ids_appx.qxd 9/30/03 5:35 PM Page 589 590 Appendix A • Cisco IDS Sensor Signatures Back Door signature series 9000 series Back door signatures are specific to well-known back doors. These signatures fire off of activity that is targeting the known ports and protocols of the backdoor. Any alarms from these signatures should be investigated closely. The ports can be used in valid applications. ■ 9000-Back Door Probe (TCP 12345): This signature fires when a TCP SYN packet to port 12345 which is a known trojan port for NetBus as well as the following: Adore sshd,Ashley, cron / crontab, Fat Bitch trojan, GabanBus, icmp_client.c, icmp_pipe.c, Mypic, NetBus Toy, Pie Bill Gates, ValvNet,Whack Job, X-bill. ■ 9001-Back Door Probe (TCP 31337): This signature fires when a TCP SYN packet to port 31337 which is a known trojan port for BackFire, Back Orifice, DeepBO,ADM worm, Baron Night, Beeone, bindshell, BO client, BO Facil, BO spy, BO2, cron / crontab, Freak88, Freak2k, Gummo, Linux Rootkit, Sm4ck, Sockdmini. ■ 9002-Back Door Probe (TCP 1524): This signature fires when a TCP SYN packet to port 1524 which is a common backdoor placed on machines by worms and hackers. ■ 9003-Back Door Probe (TCP 2773): This signature fires when a TCP SYN packet to port 2773 which is a known trojan port for SubSeven. ■ 9004-Back Door Probe (TCP 2774): This signature fires when a TCP SYN packet to port 2774 which is a known trojan port for SubSeven. ■ 9005-Back Door Probe (TCP 20034): This signature fires when a TCP SYN packet to port 20034 which is a known trojan port for Netbus Pro as well as NetRex and Whack Job. ■ 9006-Back Door Probe (TCP 27374): This signature fires when a TCP SYN packet to port 27374 which is a known trojan port for SubSeven as well as Bad Blood, EGO, Fake SubSeven, Lion, Ramen, Seeker,The Saint, Ttfloader and Webhead. ■ 9007-Back Door Probe (TCP 1234): This signature fires when a TCP SYN packet to port 1234 which is a known trojan port for SubSeven is detected. ■ 9008-Back Door Probe (TCP 1999): This signature fires when a TCP SYN packet to port 1999 which is a known trojan port for SubSeven. www.syngress.com 267_cssp_ids_appx.qxd 9/30/03 5:35 PM Page 590 Cisco IDS Sensor Signatures • Appendix A 591 ■ 9009-Back Door Probe (TCP 6711): This signature fires when a TCP SYN packet to port 6711 which is a known trojan port for SubSeven. ■ 9010-Back Door Probe (TCP 6712): This signature fires when a TCP SYN packet to port 6712 which is a known trojan port for SubSeven. ■ 9011-Back Door Probe (TCP 6713): This signature fires when a TCP SYN packet to port 6713 which is a known trojan port for SubSeven. ■ 9012-Back Door Probe (TCP 6776): This signature fires when a TCP SYN packet to port 6776 which is a known trojan port for SubSeven. ■ 9013-Back Door Probe (TCP 16959): This signature fires when a TCP SYN packet to port 16959 which is a known trojan port for SubSeven. ■ 9014-Back Door Probe (TCP 27573): This signature fires when a TCP SYN packet to port 27573 which is a known trojan port for SubSeven. ■ 9015-Back Door Probe (TCP 23432): This signature fires when a TCP SYN packet to port 23432 which is a known trojan port for asylum. ■ 9016-Back Door Probe (TCP 5400): This signature fires when a TCP SYN packet to port 5400 which is a known trojan port for back-construction. ■ 9017-Back Door Probe (TCP 5401): This signature fires when a TCP SYN packet to port 5401 which is a known trojan port for back-construction. ■ 9018-Back Door Probe (TCP 2115): This signature fires when a TCP SYN packet to port 2115 which is a known trojan port for bugs. ■ 9019-Back Door (UDP 2140): This signature fires when a UDP packet to port 2140 which is a known trojan port for deep-throat. ■ 9020-Back Door (UDP 47262): This signature fires when a UDP packet to port 47262 which is a known trojan port for delta-source. ■ 9021-Back Door (UDP 2001): This signature fires when a UDP packet to port 2001 which is a known trojan port for the Apache/chunked-encoding worm. ■ 9022-Back Door (UDP 2002): This signature fires when a UDP packet to port 2002 which is a known trojan port for the Apache/mod_ssl worm. ■ 9023-Back Door Probe (TCP 36794): This signature fires when a TCP SYN packet to port 36794 which is a known trojan port for NetBus as well as the following: Bugbear www.syngress.com 267_cssp_ids_appx.qxd 9/30/03 5:35 PM Page 591 592 Appendix A • Cisco IDS Sensor Signatures ■ 9024-Back Door Probe (TCP 10168): This signature fires when a TCP SYN packet to port 10168 which is a known trojan port for lovegate. ■ 9025-Back Door Probe (TCP 20168): This signature fires when a TCP SYN packet to port 20168 which is a known trojan port for lovegate. ■ 9026-Back Door Probe (TCP 1092): This signature fires when a TCP SYN packet to port 1092 which is a known trojan port for lovegate. ■ 9027-Back Door Probe (TCP 2018): This signature fires when a TCP SYN packet to port 2018 which is a known trojan port for fizzer. ■ 9028-Back Door Probe (TCP 2019): This signature fires when a TCP SYN packet to port 2019 which is a known trojan port for fizzer. ■ 9029-Back Door Probe (TCP 2020): This signature fires when a TCP SYN packet to port 2020 which is a known trojan port for fizzer. ■ 9030-Back Door Probe (TCP 2021): This signature fires when a TCP SYN packet to port 2021 which is a known trojan port for fizzer. ■ 9200-Back Door Response (TCP 12345): This signature fires when a TCP SYN/ACK packet from port 12345 which is a known trojan port for NetBus as well as the following:Adore sshd,Ashley, cron / crontab, Fat Bitch trojan, GabanBus, icmp_client.c, icmp_pipe.c, Mypic, NetBus Toy, Pie Bill Gates,ValvNet,Whack Job, X-bill. ■ 9201-Back Door Response (TCP 31337): This signature fires when a TCP SYN/ACK packet from port 31337 which is a known trojan port for BackFire, Back Orifice, DeepBO, ADM worm, Baron Night, Beeone, bind- shell, BO client, BO Facil, BO spy, BO2, cron / crontab, Freak88, Freak2k, Gummo, Linux Rootkit, Sm4ck, Sockdmini. ■ 9202-Back Door Response (TCP 1524): This signature fires when a TCP SYN/ACK packet from port 1524 which is a common backdoor placed on machines by worms and hackers. ■ 9203-Back Door Response (TCP 2773): This signature fires when a TCP SYN/ACK packet from port 2773 which is a known trojan port for SubSeven. ■ 9204-Back Door Response (TCP 2774): This signature fires when a TCP SYN/ACK packet from port 2774 which is a known trojan port for SubSeven. www.syngress.com 267_cssp_ids_appx.qxd 9/30/03 5:35 PM Page 592 Cisco IDS Sensor Signatures • Appendix A 593 ■ 9205-Back Door Response (TCP 20034): This signature fires when a TCP SYN/ACK packet from port 20034 which is a known trojan port for Netbus Pro as well as NetRex and Whack Job. ■ 9206-Back Door Response (TCP 27374): This signature fires when a TCP SYN/ACK packet from port 27374 which is a known trojan port for SubSeven as well as Bad Blood, EGO, Fake SubSeven, Lion, Ramen, Seeker, The Saint,Ttfloader and Webhead. ■ 9207-Back Door Response (TCP 1234): This signature fires when a TCP SYN/ACK packet from port 1234 which is a known trojan port for SubSeven. ■ 9208-Back Door Response (TCP 1999): This signature fires when a TCP SYN/ACK packet from port 1999 which is a known trojan port for SubSeven. ■ 9209-Back Door Response (TCP 6711): This signature fires when a TCP SYN/ACK packet from port 6711 which is a known trojan port for SubSeven. ■ 9210-Back Door Response (TCP 6712): This signature fires when a TCP SYN/ACK packet from port 6712 which is a known trojan port for SubSeven. ■ 9211-Back Door Response (TCP 6713): This signature fires when a TCP SYN/ACK packet from port 6713 which is a known trojan port for SubSeven. ■ 9212-Back Door Response (TCP 6776): This signature fires when a TCP SYN/ACK packet from port 6776 which is a known trojan port for SubSeven. ■ 9213-Back Door Response (TCP 16959): This signature fires when a TCP SYN/ACK packet from port 16959 which is a known trojan port for SubSeven. ■ 9214-Back Door Response (TCP 27573): This signature fires when a TCP SYN/ACK packet from port 27573 which is a known trojan port for SubSeven. ■ 9215-Back Door Response (TCP 23432): This signature fires when a TCP SYN/ACK packet from port 23432 which is a known trojan port for asylum. www.syngress.com 267_cssp_ids_appx.qxd 9/30/03 5:35 PM Page 593 594 Appendix A • Cisco IDS Sensor Signatures ■ 9216-Back Door Response (TCP 5400): This signature fires when a TCP SYN/ACK packet from port 5400 which is a known trojan port for back- construction. ■ 9217-Back Door Response (TCP 5401): This signature fires when a TCP SYN/ACK packet from port 5401 which is a known trojan port for back- construction. ■ 9218-Back Door Response (TCP 2115): This signature fires when a TCP SYN/ACK packet from port 2115 which is a known trojan port for bugs. ■ 9223-Back Door Response (TCP 36794): This signature fires when a TCP SYN/ACK packet from port 36794 which is a known trojan port for NetBus as well as the following: Bugbear ■ 9224-Back Door Response (TCP 10168): This signature fires when a TCP SYN/ACK packet from port 10168 which is a known trojan port for love- gate. ■ 9225-Back Door Response (TCP 20168): This signature fires when a TCP SYN/ACK packet from port 20168 which is a known trojan port for love- gate. ■ 9226-Back Door Response (TCP 1092): This signature fires when a TCP SYN/ACK packet from port 1092 which is a known trojan port for love- gate. ■ 9227-Back Door Response (TCP 2018): This signature fires when a TCP SYN/ACK packet from port 2018 which is a known trojan port for fizzer. ■ 9228-Back Door Response (TCP 2019): This signature fires when a TCP SYN/ACK packet from port 2019 which is a known trojan port for fizzer. ■ 9229-Back Door Response (TCP 2020): This signature fires when a TCP SYN/ACK packet from port 2020 which is a known trojan port for fizzer. ■ 9230-Back Door Response (TCP 2021): This signature fires when a TCP SYN/ACK packet from port 2021 which is a known trojan port for fizzer. www.syngress.com 267_cssp_ids_appx.qxd 9/30/03 5:35 PM Page 594 Cisco IDS Sensor Signatures • Appendix A 595 Policy Violation signature series 10000 series The policy violation signatures apply to ACL violations. If you are not utilizing ACLs these alarms may or may not be utilized. Before you can use these the router(s) and sensor(s) need to be configured accordingly. ■ 10000:1000-IP-Spoof Interface 1: This signature fires on notification from the NetSentry device that an IP datagram has been received in which an IP address that is behind the router has been used as a source address in front of the router. ■ 10000:1001-IP-Spoof Interface 2: This signature fires on notification from the NetSentry device that an IP datagram has been received in which an IP address that is behind the router has been used as a source address in front of the router. ■ 11000-KaZaA v2 UDP Client Probe: Kazaa is a peer-to-peer (P2P) file sharing application distributed by Sharman Networks. ■ 11001-Gnutella Client Request: This signature fires when a peer-to-peer client program based on the gnutella protocol sending out a connection request. ■ 11002-Gnutella Server Reply: This signature fires when a peer-to-peer server program based on the gnutella protocol replying to a connection request. ■ 11003-Qtella File Request: This signature fires when the Qtella peer-to- peer file sharing client request a file from a sever. ■ 11004-Bearshare file request: This signature fires when the BearShare peer- to-peer file sharing client request a file from a sever. ■ 11005-KaZaA GET Request:The signature fires when a client request to the default KazaA server port (TCP 1214) is detected. ■ 11006-Gnucleus file request: This signature fires when the Gnucleaus peer- to-peer file sharing client request a file from a sever. ■ 11007-Limewire File Request: This signature fires when the LimeWire peer-to-peer file sharing client request a file from a sever. ■ 11008-Morpheus File Request: This signature fires when the Morpheus peer-to-peer file sharing client request a file from a sever. www.syngress.com 267_cssp_ids_appx.qxd 9/30/03 5:35 PM Page 595 [...]... Door Probe (TCP 101 68) 9224-Back Door Response (TCP 101 68) 1100 1-Gnutella Client Request 1100 2-Gnutella Server Reply 1100 3-Qtella File Request 1100 4-Bearshare file request 1100 5-KaZaA GET Request 1100 6-Gnucleus file request 1100 7-Limewire File Request 1100 8-Morpheus File Request 1100 9-Phex File Request 1101 0-Swapper File Request 1101 1-XoloX File Request 1101 2-GTK-Gnutella File Request I Release version... Weaver Attack 5102 -WWW phpPhotoAlbum explorer.php Access 5103 -WWW SuSE Apache CGI Source Access 5104 -WWW YaBB File Access www.syngress.com 267_cssp_ids_appx.qxd 9/30/03 5:35 PM Page 619 Cisco IDS Sensor Signatures • Appendix A 619 5105 -WWW Ranson Johnson mailto.cgi Attack 5106 -WWW Ranson Johnson mailform.pl Access 5107 -WWW Mandrake Linux /perl Access 5108 -WWW Netegrity Site Minder Access 5109 -WWW Sambar... Buffer Overflow 5319-SoftCart orders Directory Access 5320-ColdFusion administrator Directory Access I Release version S28 3167-Format String in FTP username 3708-AnalogX Proxy Socks4a DNS Overflow www.syngress.com 267_cssp_ids_appx.qxd 9/30/03 5:35 PM Page 607 Cisco IDS Sensor Signatures • Appendix A 607 3709-AnalogX Proxy Web Proxy Overflow 3 710 -Cisco Secure ACS Directory Traversal 5282-IIS ExAir advsearch.asp... Disclosure 5147-Arcadia Internet Store Directory Traversal Attempt 5148-Perception LiteServe Web Server CGI Script Source Code Disclosu 5149-Trend Micro Interscan Viruswall Configuration Modification 5150-InterScan VirusWall RegGo.dll Buffer Overflow 5151-WebStore Admin Bypass 5152-WebStore Command Exec 5154-WWW uDirectory Directory Traversal 5155-WWW SiteWare Editor Directory Traversal 5156-WWW Microsoft... 5:35 PM Page 596 Appendix A • Cisco IDS Sensor Signatures I 1100 9-Phex File Request: This signature fires when the Phex peer -to- peer file sharing client request a file from a sever I 1101 0-Swapper File Request: This signature fires when the Swapper peerto-peer file sharing client request a file from a sever I 1101 1-XoloX File Request: This signature fires when the BearShare peerto-peer file sharing client request... file from a sever I 1101 2-GTK-Gnutella File Request: This signature fires when the GTKGnutella peer -to- peer file sharing client request a file from a sever I 1101 3-Mutella File Request: This signature fires when the Mutella peer-topeer file sharing client request a file from a sever I 1101 4-Hotline Client Login:This signature is fired when a Hotline client logs into a hotline server I 1101 5-Hotline File Transfer:This... sensor and director has stopped When the services on the director and/or sensor are started this alarm will appear in the event viewer www.syngress.com 267_cssp_ids_appx.qxd 598 9/30/03 5:35 PM Page 598 Appendix A • Cisco IDS Sensor Signatures I 998 - Daemon Down: One or more of the IDS sensor services has stopped I 999 - Daemon Unstartable: One or more of the IDS sensor services is unable to be started... 5314- windmail.exe Command Execution I Release version S27 1108 -IP Packet with Proto 11 5279-JJ CGi Cmd Exec 5280-IIS idq.dll Directory Traversal 5281-Carello add.exe Access www.syngress.com 267_cssp_ids_appx.qxd 608 9/30/03 5:35 PM Page 608 Appendix A • Cisco IDS Sensor Signatures 5283-info2www CGI Directory Traversal 5284- IIS webhits.dll Directory Traversal 5285-PHPEventCalendar Cmd Exec 5286-WebScripts... 9/30/03 5:35 PM Page 614 Appendix A • Cisco IDS Sensor Signatures 4060-Back Orifice Ping 5173-Directory Manager Cmd Exec 5174-phpmyexplorer directory traversal 5175-Hassan Shopping Cart Command Exec 5176-Exchange Address List Disclosure I Release version S9 3114-FetchMail Arbitrary Code Execution 3162-glFtpD LIST DoS 3455-Java Web Server Cmd Exec 4101 -Cisco TFTPD Directory Traversal 4601-CheckPoint Firewall... Page 603 Cisco IDS Sensor Signatures • Appendix A 603 4508-Non SNMP Traffic 4613-TFTP Filename Buffer Overflow 5343-Apache Host Header Cross Site Scripting 5345-HTTPBench Information Disclosure 5346-BadBlue Information Disclosure 5347-Xoops WebChat SQL Injection 5348-Cobalt RaQ Server overflow.cgi Cmd Exec 7101 -ARP Source Broadcast 7102 -ARP Reply -to- Broadcast 7104 -ARP MacAddress-Flip-Flop-Response 7105 -ARP . Response (TCP 101 68) 1100 1-Gnutella Client Request 1100 2-Gnutella Server Reply 1100 3-Qtella File Request 1100 4-Bearshare file request 1100 5-KaZaA GET Request 1100 6-Gnucleus file request 1100 7-Limewire. file request 1100 7-Limewire File Request 1100 8-Morpheus File Request 1100 9-Phex File Request 1101 0-Swapper File Request 1101 1-XoloX File Request 1101 2-GTK-Gnutella File Request ■ Release. RaQ Server overflow.cgi Cmd Exec 7101 -ARP Source Broadcast 7102 -ARP Reply -to- Broadcast 7104 -ARP MacAddress-Flip-Flop-Response 7105 -ARP Inbalance-of-Requests 1100 0-KaZaA v2 UDP Client Probe ■ Release