https://community.cisco.com/t5/network-security/http-port-80/m-p/3216391#M1020255 <P>It looks as if it is being forwarded from the outside to your sensor. Do you has access to the ASA to check the NAT rules?</P> <P>There is the remote possibility of the source IP being spoofed, and the traffic is originating from somewhere within your network.</P> Tue, 14 Nov 2017 15:39:13 GMT Seb Rupik 2017-11-14T15:39:13Z https://community.cisco.com/t5/network-security/http-port-80/m-p/3216358#M1019999 <P>Hi Guys,</P> <P>&nbsp;</P> <P>We have an isensor device sitting behind our firewall and we keep getting alerts from the isensor device that http header is not blocked for that specified device. The only port that is open to that IP Address is smtp port 25. So why is the isensor saying that http is not blocked. Any help would greatly appreciated. I have pasted the isensor output below:</P> <P>&nbsp;</P> <P>Incident Summary&nbsp; The CTOC has received an alert for '54322 VID90223 Generic OGNL Injection Attempt Inbound - HTTP Header' from your iSensor device (198.10.1.21) for traffic (Not Blocked) destined to port 80/tcp of 198.10.1.21 that occurred on 2017-11-13 at 19:25:53. This may indicate that 133.22.217.11 is attempting to discover whether 198.10.1.21 is vulnerable to OGNL injection. Object-Graph Navigation Language (OGNL) is a Java-based expression language that exposes some of the functionality of Java.&nbsp; Attacker controlled input that gets evaluated as OGNL on the target's system(s) can result in arbitrary code execution.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Lake</P> Fri, 21 Feb 2020 14:45:04 GMT https://community.cisco.com/t5/network-security/http-port-80/m-p/3216358#M1019999 Lake 2020-02-21T14:45:04Z https://community.cisco.com/t5/network-security/http-port-80/m-p/3216363#M1020000 <P>Hi there,</P> <P>What's the output from:</P> <P>&nbsp;</P> <P><STRONG>packet-tracer input OUTSIDE tcp 133.22.217.11 45000 198.10.1.21 80</STRONG></P> <P>&nbsp;</P> <P>(assuming your outbound interface is named 'OUTSIDE')</P> <P>&nbsp;</P> <P>cheers,</P> <P>Seb.</P> Tue, 14 Nov 2017 15:17:41 GMT https://community.cisco.com/t5/network-security/http-port-80/m-p/3216363#M1020000 Seb Rupik 2017-11-14T15:17:41Z https://community.cisco.com/t5/network-security/http-port-80/m-p/3216370#M1020252 <P>Hi Seb,</P> <P>&nbsp;</P> <P>I don't have a packet tracer output from our ASA firewall. This is a snippet of the isensor output. Any idea why we keep getting these alerts?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Lake</P> Tue, 14 Nov 2017 15:23:34 GMT https://community.cisco.com/t5/network-security/http-port-80/m-p/3216370#M1020252 Lake 2017-11-14T15:23:34Z https://community.cisco.com/t5/network-security/http-port-80/m-p/3216377#M1020253 <P>Hi Lake,</P> <P>What I am trying to determine is if traffic from the internet is actually being forward to your sensor. Since 133.22.217.11 is a globally routable address then I suspect the answer is yes. The packet-tracer output would confirm this.</P> <P>&nbsp;</P> <P>cheers,</P> <P>Seb.</P> Tue, 14 Nov 2017 15:26:40 GMT https://community.cisco.com/t5/network-security/http-port-80/m-p/3216377#M1020253 Seb Rupik 2017-11-14T15:26:40Z https://community.cisco.com/t5/network-security/http-port-80/m-p/3216387#M1020254 <P>Hi Seb,</P> <P>&nbsp;</P> <P>Is it possible to for http traffic from the internet to go through the ASA even that port is not open on the firewall? By this I mean any http traffic?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Lake</P> Tue, 14 Nov 2017 15:35:13 GMT https://community.cisco.com/t5/network-security/http-port-80/m-p/3216387#M1020254 Lake 2017-11-14T15:35:13Z https://community.cisco.com/t5/network-security/http-port-80/m-p/3216391#M1020255 <P>It looks as if it is being forwarded from the outside to your sensor. Do you has access to the ASA to check the NAT rules?</P> <P>There is the remote possibility of the source IP being spoofed, and the traffic is originating from somewhere within your network.</P> Tue, 14 Nov 2017 15:39:13 GMT https://community.cisco.com/t5/network-security/http-port-80/m-p/3216391#M1020255 Seb Rupik 2017-11-14T15:39:13Z https://community.cisco.com/t5/network-security/http-port-80/m-p/3216397#M1020256 <P>I will open a case with Cisco and let them take a look at it. I appreciate all your help.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Lake</P> Tue, 14 Nov 2017 15:46:08 GMT https://community.cisco.com/t5/network-security/http-port-80/m-p/3216397#M1020256 Lake 2017-11-14T15:46:08Z