[Snort-sigs] possible FPs for EXPLOIT CDE dtspcd exploit attempt sid:1398

Russell Fulton r.fulton at ...575...
Wed Oct 26 17:23:45 EDT 2005


I have recently (last week or so) been seeing hits on this rule -- it
would appear that something other than dtspcd is now using tcp 6112.

It's a long time since I saw a packet dump of an dtspcd exploit attempt
but this does not appear to be one (unless the exploit has been chopped
into several packets, which *is* possible).

If this is something new using 6112 is there a way to tune the rule
(using isdata to to check for a minimum length for the stream?) to cut
these FPs.  Or should we just retire the rule -- Anyone still running a
vulnerable dtspcd server...

Russell.

META
--------
SID	CID	TimeStamp		Signature
6	3503835	2005-10-26 15:14:52	EXPLOIT CDE dtspcd exploit attempt
Sig ID
1398

Sensor Hostname				Sensor Interface
hihi.insec.auckland.ac.nz	new dmz sensor

IP
--------
Source Address	Dest Address	Ver	Hdr Len
130.216.1.194	63.241.83.209	4	5
TOS	length	ID	flags	offset	TTL	chksum
0	86	47893	2	0	127	10288

Resolved Source
ororke.resnet.auckland.ac.nz

Resolved Dest
Could Not Resolve


TCP
--------
Source Port	Dest Port	Seq		Ack		
52139		6112		2719606480	939170281
Offset	Reserved	Flags	Window	Checksum	Urgent Ptr
8	0		24	49830	19887		0

Options
--------
None


Flags
--------
RB 1	RB 0	URG	ACK	PSH	RST	SYN	FIN
			X	X				

DATA
--------
F75222001AF29A44DC25	.R"....D.%
31DBC7BB0B9F7A69BC57	1.....zi.W
FBB5AC5205890A0F6111	...R....a.
361A7E7B	6.~{

DATA
--------
.R"....D.%1.....zi.W...R....a.6.~{




More information about the Snort-sigs mailing list