Signature for World of Warcraft

tim.weid · ‎12-15-2006

I would like some input on the best way to write a custom signature to detect WOW players on the network. I have created one based on TCP 3724 but am getting many false positives.

jim · ‎12-15-2006

Are you setting your detection for both source and destination TCP 3724?

I could see false positive only then, as you might catch an inbound random source port from another tcp application.

info · ‎12-18-2006

Now this is funny, I need to work at your company :-)

tim.weid · ‎12-18-2006

Yea we are a dev shop and the engineers love the WOW. Not during business hours but .... against the acceptable use.

jlimbo · ‎12-18-2006

Hi Tim,

I need to know more about the protocol to help you create a custom signature. Do you have a traffic sample I could look at?

Maybe we could write a signature to catch the registration of the application to the network.

Thanks,

Jonathan

tim.weid · ‎01-04-2007

no i don't. I think the gamers are on to me. I based the custom sig on the information from Blizzard on firewalling WOW.

link is here

http://www.blizzard.com/support/wow/?id=aww0790p

jkell · ‎02-19-2007

"That other IDS package" can find it with:

alert tcp $HOME_NET any -> $EXTERNAL_NET 3724 (msg:"World of Warcraft connection"; flow:established,to_server; content:"|00 02|"; depth:2; content:"WoW|00|"; distance:2; within:4;)

You can probably do that with the string engine.