cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
546
Views
0
Helpful
4
Replies

Signature 3700 - CDE dtspcd buffer overflow

rttsui
Level 1
Level 1

Hi, what is the criteria for triggering signature 3700 - CDE dtspcd buffer overflow? How does the engine determine that it is a CDE client request, besides using the destination port? Does it examine any other fields in addition to the data length? Thanks.

4 Replies 4

mcerha
Level 3
Level 3

We look for a series of six 0x30 characters, which indicates a dtspcd client request, followed by a "non-printable" character which indicates the precense of a buffer overflow shell code pattern. dtspcd client requests should be formatted all in the traditional printable range based on our observations. This was observed in two different exploits versus normal CDE traffic. Does this explanation satisfy your question?

Yes, thanks for the information. But I have a couple more questions.

1) I THINK I found the pattern your described in the data context of most of the alarms. But there are a few which didn't log this pattern. Is it due to the timing of capturing the data?

2) Some of the alarms appear to be triggered by response to http/https request. Is there a way that I can filter out alarms based on the source or destination ports? I think the RecordOfExcludedPattern does not support filtering by ports?

Thanks.

1) I'm not sure about the answer to this one. Is the context data not being displayed at all?

2) 3.x sensors don't know what end of a TCP session is the server or client, so it is most likely what you are seeing. Unfortunately, the filters are only granular based on IP addresses. I'd recommend creating two filters for this signature. First, exclude internal address ranges as a source / external addresses as a destination (IN -> OUT) for the alarm. Second, exclude internal web servers causing this alarm to fire as a source.

The context data is displayed. Don't worry about it. I am just curious.

Thanks for the suggestion about filtering.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: