Firewall messages

Chris Gabel — Mon, 11 Mar 2019 23:27:28 GMT

Hi All,

I'm really new to firewalls, I have configured one using CCP and the basic firewall wizard with medium security. I just have my laptop plugged into the LAN port and I noticed a couple weird logs that I want to ask about when surfing the web, and retrieving outlook emails.

I'm getting 4 main messages:

004528: Jul 6 11:26:46.528 MDT: %APPFW-4-HTTP_DEOBFUSCATION: Deobfuscation signature (15) detected - session 192.168.0.2:64657 74.125.225.121:80 on zone-pair ccp-zp-in-out class ccp-protocol-http appl-class ccp-http-blockparam

004620: Jul 6 11:30:21.596 MDT: %APPFW-4-HTTP_DEOBFUSCATION: Deobfuscation signature (16) detected - session 192.168.0.2:64640 74.125.225.121:80 on zone-pair ccp-zp-in-out class ccp-protocol-http appl-class ccp-http-blockparam

004603: Jul 6 11:27:08.164 MDT: %APPFW-4-HTTP_PROTOCOL_VIOLATION: HTTP protocol violation (0) detected - session 208.38.45.167:80 192.168.0.2:64852 on zone-pair ccp-zp-in-out class ccp-protocol-http appl-class ccp-http-blockparam

When using Send/Receive in Outlook i get:

004630: Jul 6 11:33:39.980 MDT: %FW-5-POP3_INVALID_COMMAND: (target:class)-(ccp-zp-in-out:ccp-protocol-pop3):Invalid POP3 command from initiator (192.168.0.2:64993): Invalid verb

Everything seems to work fine, I can send and receive emails, I can surf websites and google with no issues. Is this just logging or should I be worried about any of these messages?

Thanks!!!

-Chris

More Info

#show policy-map type inspect http

Policy Map type inspect http ccp-action-app-http

Class ccp-http-blockparam

Log

Allow

Class ccp-app-httpmethods

Log

Reset

Class ccp-http-allowparam

Log

Allow

#show class-map type inspect http

Class Map type inspect http match-any ccp-app-httpmethods (id 😎

Match request method bcopy

Match request method bdelete

Match request method bmove

Match request method bpropfind

Match request method bproppatch

Match request method connect

Match request method copy

Match request method delete

Match request method edit

Match request method getattribute

Match request method getattributenames

Match request method getproperties

Match request method index

Match request method lock

Match request method mkcol

Match request method mkdir

Match request method move

Match request method notify

Match request method options

Match request method poll

Match request method propfind

Match request method proppatch

Match request method put

Match request method revadd

Match request method revlabel

Match request method revlog

Match request method revnum

Match request method save

Match request method search

Match request method setattribute

Match request method startrev

Match request method stoprev

Match request method subscribe

Match request method trace

Match request method unedit

Match request method unlock

Match request method unsubscribe

Class Map type inspect http match-any ccp-http-blockparam (id 15)

Match request port-misuse im

Match request port-misuse p2p

Match req-resp protocol-violation

Class Map type inspect http match-any ccp-http-allowparam (id 4)

Match request port-misuse tunneling

Firewall messages

Chris Gabel — Mon, 09 Jul 2012 16:05:15 GMT

Bump!

Firewall messages

Maykol Rojas — Tue, 10 Jul 2012 06:21:39 GMT

WAMP!

Hi Chris, Mike here. I see the problem there. We have a section ask the expert where Julio Carvajal is answering Firewalling questions in IOS devices.

Going back to the question, I see where the problem is. Many Websites on the internet are not HTTP compliant, what you are doing with the configuration you did with CCP is creating this AGGRESSIVE inspection in layer 7 inspection for web traffic, meaning, the traffic on HTTP may slow down or have Random connectivity issues. This is mainly because of the service policy configured inside of the HTTP inspection.

As I can see is not only HTTP but it is extending to other protocols as well, my best advice for you is, if you are sure where attack may come from, apply a deep packet inspection to it. I dont particularly like wizzards so if you wanna get deep to a protocol it would be better if you know what you want to match.

Leave the protocols without layer 7 inspection, they will still look at the form of the packet and make sure it is RFC compliant, custom commands (POP and SMTP) custom Methods (HTTP) may get dropped as you can see.

Hope it helps!!!

Mike

topic Firewall messages in Network Security

Firewall messages

Firewall messages

Firewall messages