Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

5307/0 - False Positives?

This softcart signature fired and I started investigating it. The signature itself states that it's supposed to be the Regexp + 500 chars. However, as I was browsing the site that generated the alerts, I was able to trigger this signature numerous times, however the URI never had even close to the +500 characters the description says is needed to fire this sig. Following is an example of the details of the event from the sensor itself:

evIdsAlert: eventId=1135897714516778088 vendor=Cisco severity=high

originator:

hostId: 27-fw-dmz-c1

appName: sensorApp

appInstanceId: 346

time: February 21, 2006 5:52:11 PM UTC offset=-360 timeZone=GMT-06:00

signature: description=Mercantec Softcart Overflow id=5307 version=S110

subsigId: 0

sigDetails: /cgi-bin/SoftCart.exe + 500 chars

interfaceGroup:

vlan: 0

participants:

attacker:

addr: 206.195.195.101 locality=NETCACHE_EXT_IP

port: 18929

target:

addr: 64.82.101.6 locality=ANY

port: 80

context:

fromAttacker:

000000 63 61 74 69 6F 6E 2F 76 6E 64 2E 6D 73 2D 70 6F cation/vnd.ms-po

000010 77 65 72 70 6F 69 6E 74 2C 20 61 70 70 6C 69 63 werpoint, applic

000020 61 74 69 6F 6E 2F 6D 73 77 6F 72 64 2C 20 2A 2F ation/msword, */

000030 2A 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 *..Accept-Encodi

000040 6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 74 ng: gzip, deflat

000050 65 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 e..Accept-Langua

000060 67 65 3A 20 65 6E 2D 75 73 0D 0A 52 65 66 65 72 ge: en-us..Refer

000070 65 72 3A 20 68 74 74 70 3A 2F 2F 77 77 77 2E 62 er: http://www.b

000080 61 62 79 6C 6F 76 65 2E 63 6F 6D 2F 63 67 69 2D abylove.com/cgi-

000090 62 69 6E 2F 53 6F 66 74 43 61 72 74 2E 65 78 65 bin/SoftCart.exe

0000A0 2F 73 63 73 74 6F 72 65 2F 73 69 74 65 70 61 67 /scstore/sitepag

0000B0 65 73 2F 65 76 65 6E 74 73 2E 68 74 6D 6C 3F 4C es/events.html?L

0000C0 2B 73 63 73 74 6F 72 65 2B 6E 6A 6F 69 30 35 35 +scstore+njoi055

0000D0 33 2B 31 31 34 30 35 36 31 36 34 35 0D 0A 55 73 3+1140561645..Us

0000E0 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C er-Agent: Mozill

0000F0 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C a/4.0 (compatibl

riskRatingValue: 60

interface: ge0_0

protocol: tcp

The Network Security Database entry for this signature is described as: This signature fires upon seeing an HTTP get request whos length is greater than 500 characters directed at /cgi-bin/softcart.exe.

Any information would be appreciated, thanks!

Regards,

-David

1 REPLY
Cisco Employee

Re: 5307/0 - False Positives?

Just a little clarification, it's the regex in the URI and 500+ characters in the entire request, not 500+ characters in the URI.

113
Views
0
Helpful
1
Replies