11-28-2002 01:27 PM - edited 03-09-2019 01:14 AM
Hi, what is the criteria for triggering signature 3700 - CDE dtspcd buffer overflow? How does the engine determine that it is a CDE client request, besides using the destination port? Does it examine any other fields in addition to the data length? Thanks.
12-02-2002 09:15 PM
We look for a series of six 0x30 characters, which indicates a dtspcd client request, followed by a "non-printable" character which indicates the precense of a buffer overflow shell code pattern. dtspcd client requests should be formatted all in the traditional printable range based on our observations. This was observed in two different exploits versus normal CDE traffic. Does this explanation satisfy your question?
12-03-2002 12:20 PM
Yes, thanks for the information. But I have a couple more questions.
1) I THINK I found the pattern your described in the data context of most of the alarms. But there are a few which didn't log this pattern. Is it due to the timing of capturing the data?
2) Some of the alarms appear to be triggered by response to http/https request. Is there a way that I can filter out alarms based on the source or destination ports? I think the RecordOfExcludedPattern does not support filtering by ports?
Thanks.
12-04-2002 08:44 PM
1) I'm not sure about the answer to this one. Is the context data not being displayed at all?
2) 3.x sensors don't know what end of a TCP session is the server or client, so it is most likely what you are seeing. Unfortunately, the filters are only granular based on IP addresses. I'd recommend creating two filters for this signature. First, exclude internal address ranges as a source / external addresses as a destination (IN -> OUT) for the alarm. Second, exclude internal web servers causing this alarm to fire as a source.
12-10-2002 12:47 PM
The context data is displayed. Don't worry about it. I am just curious.
Thanks for the suggestion about filtering.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: