https://community.cisco.com/t5/network-security/trackercam-php-argument-overflow-id-5469/m-p/337944#M98168 <P>I have a 4240 that is alarming on this signature from a number of internal hosts. The hosts have all been checked for Virus, spyware etc. with nothing found. The IPS database indicates that there are no benign triggers. Could this be a false positive?</P><P></P><P>I have attached the alarm.</P><P></P><P>Does anyone have any ideas on how I should handle this?</P><P></P><P>Thanks,</P><P></P><P> </P><P></P> Sun, 10 Mar 2019 09:23:42 GMT HEATH FREEL 2019-03-10T09:23:42Z https://community.cisco.com/t5/network-security/trackercam-php-argument-overflow-id-5469/m-p/337944#M98168 <P>I have a 4240 that is alarming on this signature from a number of internal hosts. The hosts have all been checked for Virus, spyware etc. with nothing found. The IPS database indicates that there are no benign triggers. Could this be a false positive?</P><P></P><P>I have attached the alarm.</P><P></P><P>Does anyone have any ideas on how I should handle this?</P><P></P><P>Thanks,</P><P></P><P> </P><P></P> Sun, 10 Mar 2019 09:23:42 GMT https://community.cisco.com/t5/network-security/trackercam-php-argument-overflow-id-5469/m-p/337944#M98168 HEATH FREEL 2019-03-10T09:23:42Z https://community.cisco.com/t5/network-security/trackercam-php-argument-overflow-id-5469/m-p/337945#M98170 <HTML><HEAD></HEAD><BODY><P>Based on your the log you provided, this alarm relates to traffic outbound from your monitored network, (though I noticed you haven't defined your Protected Network, represented by variable $IN, yet) right?</P><P></P><P>The internal system is attempting to connect to IP 66.35.229.217, which does not resolve via an inverse lookup. The whois info says it belongs to Savvis Communications Inc. (savvis.net), which appears to be a web-hosting provider, or a "managed IP services provider" in their own words.</P><P></P><P>When you try to connect a browser to the same destination IP (<A class="jive-link-custom" href="http://66:35.229.217" target="_blank">http://66:35.229.217</A>), you're immediately redirected to another site, <A class="jive-link-custom" href="http://www.gatorcorporation.com" target="_blank">http://www.gatorcorporation.com</A>, which is blocked by my content filters as a undesirable web site.</P><P></P><P>This site has some interesting reverse lookup info.</P><P>Non-authoritative answer:</P><P>Name: web.balance.gator.COM</P><P>Address: 66.35.229.182</P><P>Aliases: <A class="jive-link-custom" href="http://WWW.GATORCORPORATION.COM" target="_blank">http://WWW.GATORCORPORATION.COM</A></P><P></P><P>It looks like there is a pool of IP addresses that all point back to the alias <A class="jive-link-custom" href="http://www.gatorcorporation.com" target="_blank">http://www.gatorcorporation.com</A> to me. Given that, are you sure you don't have some spyware installed?</P><P></P><P>To answer your original question, yes this looks like a false positive, given what the alarm was supposed to trigger on. That being said, given the info gleaned about the web server involved, you might still want to double-check and make sure that you really aren't impacted by spyware, in light of the "gator" inferences.</P><P></P><P>I hope this helps,</P><P>Alex Arndt</P></BODY></HTML> Wed, 13 Apr 2005 13:09:57 GMT https://community.cisco.com/t5/network-security/trackercam-php-argument-overflow-id-5469/m-p/337945#M98170 a.arndt 2005-04-13T13:09:57Z https://community.cisco.com/t5/network-security/trackercam-php-argument-overflow-id-5469/m-p/337946#M98171 <HTML><HEAD></HEAD><BODY><P>Thanks for the info. </P><P></P><P>I am not sure what you mean by identifiying the protected network. I know what that network is and I have created a number of filters that remove internal network from certain alarms. </P><P></P><P>The issue is that I see this alarms triggering from multiple internal hosts to multiple external hosts. </P></BODY></HTML> Wed, 13 Apr 2005 15:13:46 GMT https://community.cisco.com/t5/network-security/trackercam-php-argument-overflow-id-5469/m-p/337946#M98171 HEATH FREEL 2005-04-13T15:13:46Z