Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1186
Views
0
Helpful
6
Replies

Firepower cant handle long HTTP request (SCEP request)

lyutov_dv
Level 1
Level 1

‎04-02-2018 07:51 AM - edited ‎02-21-2020 07:35 AM

Hi!

I have a problem... We have A SCEP server behind firepower and i want to limit access to it from some networks only with specific URL (<server address>/certsrv/mscep/mscep.dll/pkiclient.exe&operation=). I want to do it to prevent connecting to admin part of SCEP server.

I created an access rule for this URL and it works when client is trying to recieve CA cert but it doesnt work to send SCEP request. I think it happens because it cant reassymbly long TCP or HTTP stream and it cant see the full URL. When i capture traffic i see what firepower blocks connection before client sends full request.

What TCP or HTTP parameters on firepower should i tune to avoid this behavior?

Labels:
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-03-2018 07:15 AM

If you're trying to create an ACP that filters on an https URL you would need to decrypt and re-sign to fully parse the full URL (i.e. including the section following the top level domain (if using DNS) or server address).

 

URLs of up to 255 characters should be supported by default.

0 Helpful

lyutov_dv
Level 1
Level 1
In response to Marvin Rhoads

‎04-03-2018 07:57 AM

It's HTTP request.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to lyutov_dv

‎04-03-2018 08:30 AM

OK.

 

Can you share the access control policy details you are using?

 

Generally an ACP will be first match rule only - so if the more specific rule isn't first it will never be hit.

0 Helpful

lyutov_dv
Level 1
Level 1
In response to Marvin Rhoads

‎04-03-2018 08:42 AM

There are no deny rules before the rule i describe

The problem here what firepower cant reassymbly tcp packets and receive full http request to retrieve URL from it.
For exmple everything is ok if http request is not so long as SCEP request

 

For example:
SCEP CACertREQ works - http://<scep_server_name>/certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=<scep_server_name>

But SCEP CAReq doesnt - http://<scep_server_name>/certsrv/mscep/mscep.dll/pkiclient.exe?operation=PKIOperation&message=MIIJhgYJKoZIhvcNAQcCoIIJdzCCCXMCAQExDzANBglghkgBZQMEAgEFADCCBH0G%0ACSqGSIb3DQEHAaCCBG4EggRqMIIEZgYJKoZIhvcNAQcDoIIEVzCCBFMCAQAxggFG%0AMIIBQgIBADAqMBMxETAPBgNVBAMTCExhbW9kYUNBAhNuAAAXOuA02LSTzSTdAAAA%0AABc6MA0GCSqGSIb3DQEBAQUABIIBAEWh1othOUg%2Fy3ZRqtOVk1DEx%2FqXnjlAakrE%0AzfCTDQvolIHRLu4tQ4DH%2FL0TlnBBX%2FKHVASGpIXZvcvmNnvuXrGvq%2BS9viXpsbUe%0AHZAwmx3W%2B9yrdGwXaZFMtIJNTqoBsK1F%2B2TSrBGNAjpCNE5uoP3q4sVS4OM5qf99%0AV%2FnYrJTUAJxANHl61oYYBIZBxhE7iOA3D15UP354I4hYnpcM7yQAEik18WjAN4QM%0A1YeoQ5O1mXCCE4jdFScNBs42zboCl%2BlVPv2p%2FiKieiMGfYbb9J2YKfUlDxAgS9sa%0AbczLtVL0jT3uU0eB2IHHft1zpAKnv0KFF85BvXc1lx7Vmt3leVIwggMCBgkqhkiG%0A9w0BBwEwEQYFKw4DAgcECMQ2FgcYommXgIIC4IGaAXsvM%2ByFjrtNO%2FooUwXIE68Y%0AQEVtISPn3NjL7....

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to lyutov_dv

‎04-03-2018 09:32 AM

Can you check if the Intrusion rule with GID 119 SID 15 is enabled and set to drop? Rule should be called "(119:15) HI_CLIENT_OVERSIZE_DIR". The documentation for this rule states:

 

This event is generated when the http_inspect pre-processor detects a request for a URL that is longer than a specified length. This may indicate an attack or an attempt to evade an IDS.

The default length seems to be 500 characters. 

0 Helpful

lyutov_dv
Level 1
Level 1
In response to Rahul Govindan

‎04-03-2018 11:57 PM

"(119:15) HI_CLIENT_OVERSIZE_DIR" is disabled but the connection is blocked by Default access rule not IPS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card