Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2161
Views
0
Helpful
6
Replies

http port 80

Go to solution
Lake
Level 1
Level 1

‎11-14-2017 07:08 AM - edited ‎02-21-2020 06:45 AM

Hi Guys,

 

We have an isensor device sitting behind our firewall and we keep getting alerts from the isensor device that http header is not blocked for that specified device. The only port that is open to that IP Address is smtp port 25. So why is the isensor saying that http is not blocked. Any help would greatly appreciated. I have pasted the isensor output below:

 

Incident Summary  The CTOC has received an alert for '54322 VID90223 Generic OGNL Injection Attempt Inbound - HTTP Header' from your iSensor device (198.10.1.21) for traffic (Not Blocked) destined to port 80/tcp of 198.10.1.21 that occurred on 2017-11-13 at 19:25:53. This may indicate that 133.22.217.11 is attempting to discover whether 198.10.1.21 is vulnerable to OGNL injection. Object-Graph Navigation Language (OGNL) is a Java-based expression language that exposes some of the functionality of Java.  Attacker controlled input that gets evaluated as OGNL on the target's system(s) can result in arbitrary code execution.

 

Thanks,

Lake

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎11-14-2017 07:17 AM

Hi there,

What's the output from:

 

packet-tracer input OUTSIDE tcp 133.22.217.11 45000 198.10.1.21 80

 

(assuming your outbound interface is named 'OUTSIDE')

 

cheers,

Seb.

View solution in original post

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to Lake

‎11-14-2017 07:39 AM

It looks as if it is being forwarded from the outside to your sensor. Do you has access to the ASA to check the NAT rules?

There is the remote possibility of the source IP being spoofed, and the traffic is originating from somewhere within your network.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎11-14-2017 07:17 AM

Hi there,

What's the output from:

 

packet-tracer input OUTSIDE tcp 133.22.217.11 45000 198.10.1.21 80

 

(assuming your outbound interface is named 'OUTSIDE')

 

cheers,

Seb.

0 Helpful

Go to solution
Lake
Level 1
Level 1
In response to Seb Rupik

‎11-14-2017 07:23 AM

Hi Seb,

 

I don't have a packet tracer output from our ASA firewall. This is a snippet of the isensor output. Any idea why we keep getting these alerts?

 

Thanks,

Lake

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to Lake

‎11-14-2017 07:26 AM

Hi Lake,

What I am trying to determine is if traffic from the internet is actually being forward to your sensor. Since 133.22.217.11 is a globally routable address then I suspect the answer is yes. The packet-tracer output would confirm this.

 

cheers,

Seb.

0 Helpful

Go to solution
Lake
Level 1
Level 1
In response to Seb Rupik

‎11-14-2017 07:35 AM

Hi Seb,

 

Is it possible to for http traffic from the internet to go through the ASA even that port is not open on the firewall? By this I mean any http traffic?

 

Thanks,

Lake

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to Lake

‎11-14-2017 07:39 AM

It looks as if it is being forwarded from the outside to your sensor. Do you has access to the ASA to check the NAT rules?

There is the remote possibility of the source IP being spoofed, and the traffic is originating from somewhere within your network.

0 Helpful

Go to solution
Lake
Level 1
Level 1
In response to Seb Rupik

‎11-14-2017 07:46 AM

I will open a case with Cisco and let them take a look at it. I appreciate all your help.

 

Thanks,

Lake

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card