https://community.cisco.com/t5/network-security/http-method-not-recognized-and-ntlm-authentication/m-p/698727#M87842 <HTML><HEAD></HEAD><BODY><P>The signatures that fire are 12674 and 12676</P></BODY></HTML> Wed, 10 Jan 2007 10:41:41 GMT rnaydenov 2007-01-10T10:41:41Z https://community.cisco.com/t5/network-security/http-method-not-recognized-and-ntlm-authentication/m-p/698725#M87838 <P>Does anybody know why ips signatures fire on ntlm authentication proxy? In our environment we have ISA 2004 and the ips is complaining about http not in rfc specs and http not recognized. Is it possible that ips does not understand ntlm proxy authentication?</P> Sun, 10 Mar 2019 10:24:40 GMT https://community.cisco.com/t5/network-security/http-method-not-recognized-and-ntlm-authentication/m-p/698725#M87838 rnaydenov 2019-03-10T10:24:40Z https://community.cisco.com/t5/network-security/http-method-not-recognized-and-ntlm-authentication/m-p/698726#M87840 <HTML><HEAD></HEAD><BODY><P>can you send me what signatures are firing and a traffic sample that is causing the issue? The sensor understands SMB and MSRPC, but does not do MSRPC over HTML and I wonder if your proxy authentication is implemented this way.</P><P></P><P>Scott Cothrell</P><P>Cisco IPS Dev Team</P></BODY></HTML> Tue, 09 Jan 2007 17:28:14 GMT https://community.cisco.com/t5/network-security/http-method-not-recognized-and-ntlm-authentication/m-p/698726#M87840 scothrel 2007-01-09T17:28:14Z https://community.cisco.com/t5/network-security/http-method-not-recognized-and-ntlm-authentication/m-p/698727#M87842 <HTML><HEAD></HEAD><BODY><P>The signatures that fire are 12674 and 12676</P></BODY></HTML> Wed, 10 Jan 2007 10:41:41 GMT https://community.cisco.com/t5/network-security/http-method-not-recognized-and-ntlm-authentication/m-p/698727#M87842 rnaydenov 2007-01-10T10:41:41Z https://community.cisco.com/t5/network-security/http-method-not-recognized-and-ntlm-authentication/m-p/698728#M87843 <HTML><HEAD></HEAD><BODY><P>These signatures are policy enforcement signatures. They are firing because the AIC engine has determined that the NTLM proxy application is running a non-web http based protocol on a web port. That will trigger 12674. 12676 is triggered when there is an HTTP request method being seen that is not in the list of acceptable HTTP request methods (listed in 12676 config). Currently, the method list should be considered static, even though it appears that you can add to this list, there are known issues that make updating it unreliable.</P><P></P><P>I'd look at the alarms to see if either the attacker or victim address is constant. I'm not sure how it will fire, but if one side is consistently the ISA system, then you can probably implement an alarm channel filter to keep those two signatures from firing with the ISA as the attacker/victim. Personally, I'd consider disabling the signatures since they are not compatible with your network policy.</P><P>WRT to tuning 12676, the entire AIC engine is being actively worked on to improve its robustness and functionality, though no specific release vehicle has been determined--yet.</P></BODY></HTML> Wed, 10 Jan 2007 14:53:31 GMT https://community.cisco.com/t5/network-security/http-method-not-recognized-and-ntlm-authentication/m-p/698728#M87843 scothrel 2007-01-10T14:53:31Z