Hi, what is the criteria for triggering signature 3700 - CDE dtspcd buffer overflow? How does the engine determine that it is a CDE client request, besides using the destination port? Does it examine any other fields in addition to the data length? Thanks.
We look for a series of six 0x30 characters, which indicates a dtspcd client request, followed by a "non-printable" character which indicates the precense of a buffer overflow shell code pattern. dtspcd client requests should be formatted all in the traditional printable range based on our observations. This was observed in two different exploits versus normal CDE traffic. Does this explanation satisfy your question?
Yes, thanks for the information. But I have a couple more questions.
1) I THINK I found the pattern your described in the data context of most of the alarms. But there are a few which didn't log this pattern. Is it due to the timing of capturing the data?
2) Some of the alarms appear to be triggered by response to http/https request. Is there a way that I can filter out alarms based on the source or destination ports? I think the RecordOfExcludedPattern does not support filtering by ports?
1) I'm not sure about the answer to this one. Is the context data not being displayed at all?
2) 3.x sensors don't know what end of a TCP session is the server or client, so it is most likely what you are seeing. Unfortunately, the filters are only granular based on IP addresses. I'd recommend creating two filters for this signature. First, exclude internal address ranges as a source / external addresses as a destination (IN -> OUT) for the alarm. Second, exclude internal web servers causing this alarm to fire as a source.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...