https://community.cisco.com/t5/network-security/mercantec-softcart-overflow/m-p/383538#M96624 <HTML><HEAD></HEAD><BODY><P>If this was on 5.0(1), you might try 5.0(2). There is a known issue if you tuned some regex based signatures they started to have false positives. The underlying issue was fixed in 5.0(2).</P></BODY></HTML> Fri, 15 Apr 2005 17:56:50 GMT scothrel 2005-04-15T17:56:50Z https://community.cisco.com/t5/network-security/mercantec-softcart-overflow/m-p/383532#M96604 <P>I have recently hooked up a 4240 and found a lot of internal traffic, producing this alarm. SIG ID 5307.</P><P></P><P>In looking at the packet data it seems to be ligitimate traffic - gmail and others. </P><P></P><P>The NSDB lists no benign triggers. </P><P></P><P>Does anyone have any other infomation of this signature? Should I just disable it?</P><P></P><P>Thanks,</P><P></P><P></P> Sun, 10 Mar 2019 09:22:03 GMT https://community.cisco.com/t5/network-security/mercantec-softcart-overflow/m-p/383532#M96604 HEATH FREEL 2019-03-10T09:22:03Z https://community.cisco.com/t5/network-security/mercantec-softcart-overflow/m-p/383533#M96612 <HTML><HEAD></HEAD><BODY><P>If my memory serves correct, I seem to remember that this signature was buggie in its initial release but has been rectified in one or other signature update.</P><P></P><P>what signature update is installed?? </P></BODY></HTML> Sat, 02 Apr 2005 13:14:46 GMT https://community.cisco.com/t5/network-security/mercantec-softcart-overflow/m-p/383533#M96612 darin.marais 2005-04-02T13:14:46Z https://community.cisco.com/t5/network-security/mercantec-softcart-overflow/m-p/383534#M96613 <HTML><HEAD></HEAD><BODY><P>I tried to search for the bug but did not find it so I could very well be wrong about it being bug prone I may have just confused it with something else, however the signature has been noted in one other thread on this forum.</P><P></P><P><A class="jive-link-custom" href="http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Intrusion%20Prevention%20Systems/IDS&amp;CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd69fe9" target="_blank">http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Intrusion%20Prevention%20Systems/IDS&amp;CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd69fe9</A></P><P></P></BODY></HTML> Sat, 02 Apr 2005 13:39:28 GMT https://community.cisco.com/t5/network-security/mercantec-softcart-overflow/m-p/383534#M96613 darin.marais 2005-04-02T13:39:28Z https://community.cisco.com/t5/network-security/mercantec-softcart-overflow/m-p/383535#M96614 <HTML><HEAD></HEAD><BODY><P>There are no known benign triggers for this signature. Signature 5307 is searching in the URI field for a request to /cgi-bin/softcart.exe with total request length over 500. The URI field in service.http is defined as anything from the GET to the next CRLF. This should prevent most false positives since the signature can only inspect http headers and looks for a large request to /cgi-bin/softcart.exe. If you could provide a traffic sample or captured packet from the suspected traffic it would be very helpful.</P><P></P><P></P><P>Thanks,</P><P>Craig</P></BODY></HTML> Sat, 02 Apr 2005 20:08:46 GMT https://community.cisco.com/t5/network-security/mercantec-softcart-overflow/m-p/383535#M96614 craiwill 2005-04-02T20:08:46Z https://community.cisco.com/t5/network-security/mercantec-softcart-overflow/m-p/383536#M96617 <HTML><HEAD></HEAD><BODY><P>I have attached the captured packet from the details of the alarm. </P><P></P><P>Any help is appreciated. </P><P></P><P> </P><P></P></BODY></HTML> Mon, 04 Apr 2005 11:38:44 GMT https://community.cisco.com/t5/network-security/mercantec-softcart-overflow/m-p/383536#M96617 HEATH FREEL 2005-04-04T11:38:44Z https://community.cisco.com/t5/network-security/mercantec-softcart-overflow/m-p/383537#M96621 <HTML><HEAD></HEAD><BODY><P>I do not see anything in this capture that would fire the alarm. It is possible that the call to the softcart executable is too far away from the end of the request and did not make it into the context buffer. What may be happening is that a company legitimately uses enough arguments on their softcart server to trigger the alarm. If the server from the capture is not running a vulnerable version this would not overflow the server, but it would overflow an older server. Since we really have no way of telling the version of softcart a server is running we cannot check that in the signature. That being said, if you have any captures that include the call to the softcart executable I could tell for sure and may be able to improve our signature. </P><P></P><P>Thanks,</P><P>Craig</P></BODY></HTML> Mon, 04 Apr 2005 12:58:28 GMT https://community.cisco.com/t5/network-security/mercantec-softcart-overflow/m-p/383537#M96621 craiwill 2005-04-04T12:58:28Z https://community.cisco.com/t5/network-security/mercantec-softcart-overflow/m-p/383538#M96624 <HTML><HEAD></HEAD><BODY><P>If this was on 5.0(1), you might try 5.0(2). There is a known issue if you tuned some regex based signatures they started to have false positives. The underlying issue was fixed in 5.0(2).</P></BODY></HTML> Fri, 15 Apr 2005 17:56:50 GMT https://community.cisco.com/t5/network-security/mercantec-softcart-overflow/m-p/383538#M96624 scothrel 2005-04-15T17:56:50Z