Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
547
Views
0
Helpful
6
Replies

Mercantec Softcart Overflow

HEATH FREEL
Level 1
Level 1

‎03-31-2005 09:36 AM - edited ‎03-10-2019 01:22 AM

I have recently hooked up a 4240 and found a lot of internal traffic, producing this alarm. SIG ID 5307.

In looking at the packet data it seems to be ligitimate traffic - gmail and others.

The NSDB lists no benign triggers.

Does anyone have any other infomation of this signature? Should I just disable it?

Thanks,

Labels:
0 Helpful
6 Replies 6

darin.marais
Level 4
Level 4

‎04-02-2005 05:14 AM

If my memory serves correct, I seem to remember that this signature was buggie in its initial release but has been rectified in one or other signature update.

what signature update is installed??

0 Helpful

darin.marais
Level 4
Level 4
In response to darin.marais

‎04-02-2005 05:39 AM

I tried to search for the bug but did not find it so I could very well be wrong about it being bug prone I may have just confused it with something else, however the signature has been noted in one other thread on this forum.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd69fe9

0 Helpful

craiwill
Cisco Employee
Cisco Employee

‎04-02-2005 12:08 PM

There are no known benign triggers for this signature. Signature 5307 is searching in the URI field for a request to /cgi-bin/softcart.exe with total request length over 500. The URI field in service.http is defined as anything from the GET to the next CRLF. This should prevent most false positives since the signature can only inspect http headers and looks for a large request to /cgi-bin/softcart.exe. If you could provide a traffic sample or captured packet from the suspected traffic it would be very helpful.

Thanks,

Craig

0 Helpful

HEATH FREEL
Level 1
Level 1
In response to craiwill

‎04-04-2005 04:38 AM

I have attached the captured packet from the details of the alarm.

Any help is appreciated.

Preview file
9 KB
0 Helpful

craiwill
Cisco Employee
Cisco Employee
In response to HEATH FREEL

‎04-04-2005 05:58 AM

I do not see anything in this capture that would fire the alarm. It is possible that the call to the softcart executable is too far away from the end of the request and did not make it into the context buffer. What may be happening is that a company legitimately uses enough arguments on their softcart server to trigger the alarm. If the server from the capture is not running a vulnerable version this would not overflow the server, but it would overflow an older server. Since we really have no way of telling the version of softcart a server is running we cannot check that in the signature. That being said, if you have any captures that include the call to the softcart executable I could tell for sure and may be able to improve our signature.

Thanks,

Craig

0 Helpful

scothrel
Level 3
Level 3

‎04-15-2005 10:56 AM

If this was on 5.0(1), you might try 5.0(2). There is a known issue if you tuned some regex based signatures they started to have false positives. The underlying issue was fixed in 5.0(2).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card