In addition to the version which subsignature is firing?

I believe I am also seeing false positives for this signature, here is a packet capture from 5.0 IDS

evIdsAlert: eventId=1119908756873907244 severity=high vendor=Cisco

originator:

hostId: WSB01

appName: sensorApp

appInstanceId: 6801

time: 2005/09/16 14:04:48 2005/09/16 07:04:48 MST

signature: description=Windows RPC DCOM Overflow id=3327 version=S188

subsigId: 6

sigDetails: \\\x3c400 chars>\

interfaceGroup:

vlan: 0

participants:

attacker:

addr: locality=INTERNAL 10.169.99.60

port: 2034

target:

addr: locality=WesternSecurity_Management 10.169.101.20

port: 445

context:

fromTarget:

000000 76 00 30 00 31 00 5C 00 48 00 50 00 20 00 4C 00 v.0.1.\.H.P. .L.

000010 61 00 73 00 65 00 72 00 4A 00 65 00 74 00 20 00 a.s.e.r.J.e.t. .

000020 39 00 30 00 30 00 30 00 20 00 50 00 43 00 4C 00 9.0.0.0. .P.C.L.

000030 20 00 36 00 2C 00 48 00 50 00 20 00 4C 00 61 00 .6.,.H.P. .L.a.

000040 73 00 65 00 72 00 4A 00 65 00 74 00 20 00 39 00 s.e.r.J.e.t. .9.

000050 30 00 30 00 30 00 20 00 50 00 43 00 4C 00 20 00 0.0.0. .P.C.L. .

000060 36 00 2C 00 54 00 69 00 65 00 72 00 72 00 61 00 6.,.T.i.e.r.r.a.

000070 20 00 42 00 75 00 65 00 6E 00 61 00 20 00 48 00 .B.u.e.n.a. .H.

000080 50 00 39 00 30 00 30 00 30 00 00 00 F0 00 00 00 P.9.0.0.0.......

000090 00 00 00 00 00 00 00 68 FF 53 4D 42 25 00 00 00 .......h.SMB%...

0000A0 00 98 07 C8 00 00 DC A1 9A 7B 6A 44 E3 88 00 00 .........{jD....

0000B0 07 B8 C0 03 00 60 82 0B 0A 00 00 30 00 00 00 00 .....`.....0....

0000C0 00 38 00 00 00 30 00 38 00 00 00 00 00 31 00 7C .8...0.8.....1.|

0000D0 05 00 02 03 10 00 00 00 30 00 00 00 1E 00 00 00 ........0.......

0000E0 18 00 00 00 00 00 00 00 00 00 00 00 62 1B 51 C7 ............b.Q.

0000F0 64 A4 55 47 A6 43 F4 DE 42 89 1C C1 00 00 00 00 d.UG.C..B.......

fromAttacker:

000000 20 20 20 30 39 2F 31 34 2F 30 35 1B 26 61 35 37 09/14/05.&a57

000010 48 1B 26 61 32 35 33 36 56 20 20 20 20 20 45 4E H.&a2536V EN

000020 44 50 4F 49 4E 54 20 4E 55 4D 42 45 52 3A 20 20 DPOINT NUMBER:

000030 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

000040 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

000050 20 20 20 20 20 20 39 31 33 20 20 20 53 45 51 55 913 SEQU

000060 45 4E 43 45 20 4E 55 4D 42 45 52 3A 20 20 20 20 ENCE NUMBER:

000070 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

000080 20 20 20 31 31 37 37 20 20 20 45 58 54 52 41 43 1177 EXTRAC

000090 54 20 4E 55 4D 42 45 52 3A 20 20 20 20 20 20 20 T NUMBER:

0000A0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

0000B0 20 20 33 35 34 1B 26 61 00 00 00 80 FF 53 4D 42 354.&a.....SMB

0000C0 25 00 00 00 00 18 07 C8 00 00 E6 D6 37 64 86 27 %...........7d.'

0000D0 FC B7 00 00 07 B8 C0 03 00 60 02 0C 10 00 00 2C .........`.....,

0000E0 00 00 00 70 0E 00 00 00 00 00 00 00 00 00 00 00 ...p............

0000F0 00 54 00 2C 00 54 00 02 00 26 00 02 00 3D 00 10 .T.,.T...&...=..

riskRatingValue: 65

interface: fe0_1

protocol: tcp