01-09-2007 12:25 AM - edited 03-10-2019 03:24 AM
Does anybody know why ips signatures fire on ntlm authentication proxy? In our environment we have ISA 2004 and the ips is complaining about http not in rfc specs and http not recognized. Is it possible that ips does not understand ntlm proxy authentication?
01-09-2007 09:28 AM
can you send me what signatures are firing and a traffic sample that is causing the issue? The sensor understands SMB and MSRPC, but does not do MSRPC over HTML and I wonder if your proxy authentication is implemented this way.
Scott Cothrell
Cisco IPS Dev Team
01-10-2007 02:41 AM
The signatures that fire are 12674 and 12676
01-10-2007 06:53 AM
These signatures are policy enforcement signatures. They are firing because the AIC engine has determined that the NTLM proxy application is running a non-web http based protocol on a web port. That will trigger 12674. 12676 is triggered when there is an HTTP request method being seen that is not in the list of acceptable HTTP request methods (listed in 12676 config). Currently, the method list should be considered static, even though it appears that you can add to this list, there are known issues that make updating it unreliable.
I'd look at the alarms to see if either the attacker or victim address is constant. I'm not sure how it will fire, but if one side is consistently the ISA system, then you can probably implement an alarm channel filter to keep those two signatures from firing with the ISA as the attacker/victim. Personally, I'd consider disabling the signatures since they are not compatible with your network policy.
WRT to tuning 12676, the entire AIC engine is being actively worked on to improve its robustness and functionality, though no specific release vehicle has been determined--yet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide