[Snort-sigs] possible fix for FPs for EXPLOIT CDE dtspcd exploit attempt sid:1398

Alex Kirk alex.kirk at ...435...
Mon Oct 31 06:10:17 EST 2005


Russell Fulton wrote:

>Russell Fulton wrote:
>  
>
>>I have recently (last week or so) been seeing hits on this rule -- it
>>would appear that something other than dtspcd is now using tcp 6112.
>>
>>    
>>
>
>most likely candidate is World of Warcraft game that also uses tcp-6112.
>
>I've found a packet dump of a real exploit and you need several 100
>chars of NOPs so I propose adding isdata:500 to this sig that will stop
>it triggering on the short packets used by the game.  I suspect this sig
> predates isdata or it would have been used.
>
>Is there any interest in updating the rule?
>  
>
Yes -- we're always interested in eliminating false positives, 
especially if they're due to something popular like World of Warcraft. 
Can you please send PCAPs of the false positive traffic, as well as the 
exploit you found, so we can verify your suggestion and make appropriate 
changes to the rule?

Thanks,
Alex Kirk
Research Analyst
Sourcefire, Inc.




More information about the Snort-sigs mailing list