[Snort-sigs] possible fix for FPs for EXPLOIT CDE dtspcd exploit attempt sid:1398
r.fulton at ...575...
Fri Oct 28 00:40:51 EDT 2005
Russell Fulton wrote:
> I have recently (last week or so) been seeing hits on this rule -- it
> would appear that something other than dtspcd is now using tcp 6112.
most likely candidate is World of Warcraft game that also uses tcp-6112.
I've found a packet dump of a real exploit and you need several 100
chars of NOPs so I propose adding isdata:500 to this sig that will stop
it triggering on the short packets used by the game. I suspect this sig
predates isdata or it would have been used.
Is there any interest in updating the rule?
More information about the Snort-sigs