cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2009
Views
0
Helpful
2
Replies

Firewall messages

Chris Gabel
Level 1
Level 1

Hi All,

I'm really new to firewalls, I have configured one using CCP and the basic firewall wizard with medium security. I just have my laptop plugged into the LAN port and I noticed a couple weird logs that I want to ask about when surfing the web, and retrieving outlook emails.

I'm getting 4 main messages:

004528: Jul  6 11:26:46.528 MDT: %APPFW-4-HTTP_DEOBFUSCATION: Deobfuscation signature (15) detected - session 192.168.0.2:64657 74.125.225.121:80 on zone-pair ccp-zp-in-out class ccp-protocol-http appl-class ccp-http-blockparam

004620: Jul  6 11:30:21.596 MDT: %APPFW-4-HTTP_DEOBFUSCATION: Deobfuscation signature (16) detected - session 192.168.0.2:64640 74.125.225.121:80 on zone-pair ccp-zp-in-out class ccp-protocol-http appl-class ccp-http-blockparam

004603: Jul  6 11:27:08.164 MDT: %APPFW-4-HTTP_PROTOCOL_VIOLATION: HTTP protocol violation (0) detected - session 208.38.45.167:80 192.168.0.2:64852 on zone-pair ccp-zp-in-out class ccp-protocol-http appl-class ccp-http-blockparam

When using Send/Receive in Outlook i get:

004630: Jul  6 11:33:39.980 MDT: %FW-5-POP3_INVALID_COMMAND: (target:class)-(ccp-zp-in-out:ccp-protocol-pop3):Invalid POP3 command from initiator (192.168.0.2:64993): Invalid verb

Everything seems to work fine, I can send and receive emails, I can surf websites and google with no issues. Is this just logging or should I be worried about any of these messages?

Thanks!!!

-Chris

More Info

#show policy-map type inspect http

  Policy Map type inspect http ccp-action-app-http

    Class ccp-http-blockparam

      Log

      Allow

    Class ccp-app-httpmethods

      Log

      Reset

    Class ccp-http-allowparam

      Log

      Allow

#show class-map type inspect http

Class Map type inspect http match-any ccp-app-httpmethods (id 8)

   Match  request method bcopy

   Match  request method bdelete

   Match  request method bmove

   Match  request method bpropfind

   Match  request method bproppatch

   Match  request method connect

   Match  request method copy

   Match  request method delete

   Match  request method edit

   Match  request method getattribute

   Match  request method getattributenames

   Match  request method getproperties

   Match  request method index

   Match  request method lock

   Match  request method mkcol

   Match  request method mkdir

   Match  request method move

   Match  request method notify

   Match  request method options

   Match  request method poll

   Match  request method propfind

   Match  request method proppatch

   Match  request method put

   Match  request method revadd

   Match  request method revlabel

   Match  request method revlog

   Match  request method revnum

   Match  request method save

   Match  request method search

   Match  request method setattribute

   Match  request method startrev

   Match  request method stoprev

   Match  request method subscribe

   Match  request method trace

   Match  request method unedit

   Match  request method unlock

   Match  request method unsubscribe

Class Map type inspect http match-any ccp-http-blockparam (id 15)

   Match  request port-misuse im

   Match  request port-misuse p2p

   Match  req-resp protocol-violation

Class Map type inspect http match-any ccp-http-allowparam (id 4)

   Match  request port-misuse tunneling


2 Replies 2

Chris Gabel
Level 1
Level 1

Bump!

WAMP!

Hi Chris, Mike here. I see the problem there. We have a section ask the expert where Julio Carvajal is answering Firewalling questions in IOS devices.

Going back to the question, I see where the problem is. Many Websites on the internet are not HTTP compliant, what you are doing with the configuration you did with CCP is creating this AGGRESSIVE inspection in layer 7 inspection for web traffic, meaning, the traffic on HTTP may slow down or have Random connectivity issues. This is mainly because of the service policy configured inside of the HTTP inspection.

As I can see is not only HTTP but it is extending to other protocols as well, my best advice for you is, if you are sure where attack may come from, apply a deep packet inspection to it. I dont particularly like wizzards so if you wanna get deep to a protocol it would be better if you know what you want to match.

Leave the protocols without layer 7 inspection, they will still look at the form of the packet and make sure it is RFC compliant, custom commands (POP and SMTP) custom Methods (HTTP) may get dropped as you can see.

Hope it helps!!!

Mike

Mike
Review Cisco Networking for a $25 gift card