https://community.cisco.com/t5/network-security/5307-0-false-positives/m-p/509823#M98674 <HTML><HEAD></HEAD><BODY><P>Just a little clarification, it's the regex in the URI and 500+ characters in the entire request, not 500+ characters in the URI.</P></BODY></HTML> Wed, 22 Feb 2006 00:41:52 GMT wsulym 2006-02-22T00:41:52Z https://community.cisco.com/t5/network-security/5307-0-false-positives/m-p/509822#M98673 <P>This softcart signature fired and I started investigating it. The signature itself states that it's supposed to be the Regexp + 500 chars. However, as I was browsing the site that generated the alerts, I was able to trigger this signature numerous times, however the URI never had even close to the +500 characters the description says is needed to fire this sig. Following is an example of the details of the event from the sensor itself:</P><P></P><P>evIdsAlert: eventId=1135897714516778088 vendor=Cisco severity=high </P><P> originator: </P><P> hostId: 27-fw-dmz-c1 </P><P> appName: sensorApp </P><P> appInstanceId: 346 </P><P> time: February 21, 2006 5:52:11 PM UTC offset=-360 timeZone=GMT-06:00 </P><P> signature: description=Mercantec Softcart Overflow id=5307 version=S110 </P><P> subsigId: 0 </P><P> sigDetails: /cgi-bin/SoftCart.exe + 500 chars </P><P> interfaceGroup: </P><P> vlan: 0 </P><P> participants: </P><P> attacker: </P><P> addr: 206.195.195.101 locality=NETCACHE_EXT_IP </P><P> port: 18929 </P><P> target: </P><P> addr: 64.82.101.6 locality=ANY </P><P> port: 80 </P><P> context: </P><P> fromAttacker: </P><P>000000 63 61 74 69 6F 6E 2F 76 6E 64 2E 6D 73 2D 70 6F cation/vnd.ms-po</P><P>000010 77 65 72 70 6F 69 6E 74 2C 20 61 70 70 6C 69 63 werpoint, applic</P><P>000020 61 74 69 6F 6E 2F 6D 73 77 6F 72 64 2C 20 2A 2F ation/msword, */</P><P>000030 2A 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 *..Accept-Encodi</P><P>000040 6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 74 ng: gzip, deflat</P><P>000050 65 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 e..Accept-Langua</P><P>000060 67 65 3A 20 65 6E 2D 75 73 0D 0A 52 65 66 65 72 ge: en-us..Refer</P><P>000070 65 72 3A 20 68 74 74 70 3A 2F 2F 77 77 77 2E 62 er: <A class="jive-link-custom" href="http://www.b" target="_blank">http://www.b</A></P><P>000080 61 62 79 6C 6F 76 65 2E 63 6F 6D 2F 63 67 69 2D abylove.com/cgi-</P><P>000090 62 69 6E 2F 53 6F 66 74 43 61 72 74 2E 65 78 65 bin/SoftCart.exe</P><P>0000A0 2F 73 63 73 74 6F 72 65 2F 73 69 74 65 70 61 67 /scstore/sitepag</P><P>0000B0 65 73 2F 65 76 65 6E 74 73 2E 68 74 6D 6C 3F 4C es/events.html?L</P><P>0000C0 2B 73 63 73 74 6F 72 65 2B 6E 6A 6F 69 30 35 35 +scstore+njoi055</P><P>0000D0 33 2B 31 31 34 30 35 36 31 36 34 35 0D 0A 55 73 3+1140561645..Us</P><P>0000E0 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C er-Agent: Mozill</P><P>0000F0 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C a/4.0 (compatibl</P><P></P><P> riskRatingValue: 60 </P><P> interface: ge0_0 </P><P> protocol: tcp </P><P></P><P></P><P>The Network Security Database entry for this signature is described as: This signature fires upon seeing an HTTP get request whos length is greater than 500 characters directed at /cgi-bin/softcart.exe.</P><P></P><P>Any information would be appreciated, thanks!</P><P></P><P>Regards,</P><P>-David</P> Sun, 10 Mar 2019 09:54:04 GMT https://community.cisco.com/t5/network-security/5307-0-false-positives/m-p/509822#M98673 j826430 2019-03-10T09:54:04Z https://community.cisco.com/t5/network-security/5307-0-false-positives/m-p/509823#M98674 <HTML><HEAD></HEAD><BODY><P>Just a little clarification, it's the regex in the URI and 500+ characters in the entire request, not 500+ characters in the URI.</P></BODY></HTML> Wed, 22 Feb 2006 00:41:52 GMT https://community.cisco.com/t5/network-security/5307-0-false-positives/m-p/509823#M98674 wsulym 2006-02-22T00:41:52Z