[Snort-sigs] possible fix for FPs for EXPLOIT CDE dtspcd exploit attempt sid:1398

Russell Fulton r.fulton at ...575...
Fri Oct 28 00:40:51 EDT 2005


Russell Fulton wrote:
> I have recently (last week or so) been seeing hits on this rule -- it
> would appear that something other than dtspcd is now using tcp 6112.
>

most likely candidate is World of Warcraft game that also uses tcp-6112.

I've found a packet dump of a real exploit and you need several 100
chars of NOPs so I propose adding isdata:500 to this sig that will stop
it triggering on the short packets used by the game.  I suspect this sig
 predates isdata or it would have been used.

Is there any interest in updating the rule?

Russell




More information about the Snort-sigs mailing list