Cisco Support Community
Community Member

Signature 3700 - CDE dtspcd buffer overflow

Hi, what is the criteria for triggering signature 3700 - CDE dtspcd buffer overflow? How does the engine determine that it is a CDE client request, besides using the destination port? Does it examine any other fields in addition to the data length? Thanks.


Re: Signature 3700 - CDE dtspcd buffer overflow

We look for a series of six 0x30 characters, which indicates a dtspcd client request, followed by a "non-printable" character which indicates the precense of a buffer overflow shell code pattern. dtspcd client requests should be formatted all in the traditional printable range based on our observations. This was observed in two different exploits versus normal CDE traffic. Does this explanation satisfy your question?

Community Member

Re: Signature 3700 - CDE dtspcd buffer overflow

Yes, thanks for the information. But I have a couple more questions.

1) I THINK I found the pattern your described in the data context of most of the alarms. But there are a few which didn't log this pattern. Is it due to the timing of capturing the data?

2) Some of the alarms appear to be triggered by response to http/https request. Is there a way that I can filter out alarms based on the source or destination ports? I think the RecordOfExcludedPattern does not support filtering by ports?



Re: Signature 3700 - CDE dtspcd buffer overflow

1) I'm not sure about the answer to this one. Is the context data not being displayed at all?

2) 3.x sensors don't know what end of a TCP session is the server or client, so it is most likely what you are seeing. Unfortunately, the filters are only granular based on IP addresses. I'd recommend creating two filters for this signature. First, exclude internal address ranges as a source / external addresses as a destination (IN -> OUT) for the alarm. Second, exclude internal web servers causing this alarm to fire as a source.

Community Member

Re: Signature 3700 - CDE dtspcd buffer overflow

The context data is displayed. Don't worry about it. I am just curious.

Thanks for the suggestion about filtering.

CreatePlease to create content