This softcart signature fired and I started investigating it. The signature itself states that it's supposed to be the Regexp + 500 chars. However, as I was browsing the site that generated the alerts, I was able to trigger this signature numerous times, however the URI never had even close to the +500 characters the description says is needed to fire this sig. Following is an example of the details of the event from the sensor itself:
The Network Security Database entry for this signature is described as: This signature fires upon seeing an HTTP get request whos length is greater than 500 characters directed at /cgi-bin/softcart.exe.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...