Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Signature for World of Warcraft

I would like some input on the best way to write a custom signature to detect WOW players on the network. I have created one based on TCP 3724 but am getting many false positives.

6 REPLIES
jim
New Member

Re: Signature for World of Warcraft

Are you setting your detection for both source and destination TCP 3724?

I could see false positive only then, as you might catch an inbound random source port from another tcp application.

New Member

Re: Signature for World of Warcraft

Now this is funny, I need to work at your company :-)

New Member

Re: Signature for World of Warcraft

Yea we are a dev shop and the engineers love the WOW. Not during business hours but .... against the acceptable use.

New Member

Re: Signature for World of Warcraft

Hi Tim,

I need to know more about the protocol to help you create a custom signature. Do you have a traffic sample I could look at?

Maybe we could write a signature to catch the registration of the application to the network.

Thanks,

Jonathan

New Member

Re: Signature for World of Warcraft

no i don't. I think the gamers are on to me. I based the custom sig on the information from Blizzard on firewalling WOW.

link is here

http://www.blizzard.com/support/wow/?id=aww0790p

New Member

Re: Signature for World of Warcraft

"That other IDS package" can find it with:

alert tcp $HOME_NET any -> $EXTERNAL_NET 3724 (msg:"World of Warcraft connection"; flow:established,to_server; content:"|00 02|"; depth:2; content:"WoW|00|"; distance:2; within:4;)

You can probably do that with the string engine.

241
Views
0
Helpful
6
Replies
CreatePlease to create content