Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
571
Views
0
Helpful
2
Replies

TrackerCam PHP Argument Overflow id=5469

HEATH FREEL
Level 1
Level 1

‎04-13-2005 04:10 AM - edited ‎03-10-2019 01:23 AM

I have a 4240 that is alarming on this signature from a number of internal hosts. The hosts have all been checked for Virus, spyware etc. with nothing found. The IPS database indicates that there are no benign triggers. Could this be a false positive?

I have attached the alarm.

Does anyone have any ideas on how I should handle this?

Thanks,

Labels:
Preview file
9 KB
0 Helpful
2 Replies 2

a.arndt
Level 3
Level 3

‎04-13-2005 06:09 AM

Based on your the log you provided, this alarm relates to traffic outbound from your monitored network, (though I noticed you haven't defined your Protected Network, represented by variable $IN, yet) right?

The internal system is attempting to connect to IP 66.35.229.217, which does not resolve via an inverse lookup. The whois info says it belongs to Savvis Communications Inc. (savvis.net), which appears to be a web-hosting provider, or a "managed IP services provider" in their own words.

When you try to connect a browser to the same destination IP (http://66:35.229.217), you're immediately redirected to another site, http://www.gatorcorporation.com, which is blocked by my content filters as a undesirable web site.

This site has some interesting reverse lookup info.

Non-authoritative answer:

Name: web.balance.gator.COM

Address: 66.35.229.182

Aliases: http://WWW.GATORCORPORATION.COM

It looks like there is a pool of IP addresses that all point back to the alias http://www.gatorcorporation.com to me. Given that, are you sure you don't have some spyware installed?

To answer your original question, yes this looks like a false positive, given what the alarm was supposed to trigger on. That being said, given the info gleaned about the web server involved, you might still want to double-check and make sure that you really aren't impacted by spyware, in light of the "gator" inferences.

I hope this helps,

Alex Arndt

0 Helpful

HEATH FREEL
Level 1
Level 1
In response to a.arndt

‎04-13-2005 08:13 AM

Thanks for the info.

I am not sure what you mean by identifiying the protected network. I know what that network is and I have created a number of filters that remove internal network from certain alarms.

The issue is that I see this alarms triggering from multiple internal hosts to multiple external hosts.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card