Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2563
Views
0
Helpful
0
Comments

Web traffic on a router with Cisco IOS version 12.3 is dropped with HTTP inspection configured

TCC_2
Level 10
Level 10

‎06-18-2009 04:03 PM - edited ‎03-08-2019 06:06 PM

What is HTTP inspection?

HTTP Inspect is a generic HTTP decoder for user applications. Given a data buffer, HTTP Inspect will decode the buffer, find HTTP fields, and normalize the fields. HTTP Inspect works on both client requests and server responses.

The current version of HTTP Inspect only handles stateless processing. This means that HTTP Inspect looks for HTTP fields on a packet-by-packet basis, and will be fooled if packets are not reassembled. This works fine when there is another module handling the reassembly, but there are limitations in analyzing the protocol. Future versions will have a stateful processing mode which will hook into various reassembly modules.

HTTP Inspect has a very ``rich'' user configuration. Users can configure individual HTTP servers with a variety of options, which should allow the user to emulate any type of web server. Within HTTP Inspect, there are two areas of configuration: global and server.

Core issue

This problem occurs because the web site is not RFC compliant.

The Cisco IOS  router has the PIX Firewall enabled with the inspect command. The inspection rule has appfw configuration in it, and appfw policy has HTTP application in it. The HTTP application in appfw policy has the strict-http action {reset} command in it.

These logs are observed:

007783: Apr 10 10:08:30.140 PDT: %APPFW-4-HTTP_STRICT_PROTOCOL: Sig:15 HTTP
protocol violation detected - Reset -  HTTP Protocol not detected from
10.123.195.67:1261 to 216.148.229.144:80

Response pages coming from www.yahoo.com and its e-mail sites have a mal-formed, chunked encoding scheme. That violates strict-http rules. In particular, the page has a chunk size followed by three spaces before a \r\n combination that violates the strict-http rules. If the action for this rule is to reset, the connection is reset by the firewall, preventing the pages from loading from www.yahoo.com.

Avoid the re-set action with strict-http if you see some pages failing to load.

Resolution

For a  workaround, either remove the strict-http command or avoid re-setting connections in it, but include the alarm action.

Writing exceptions for strict-http is impractical. However, a note in Security Device Manager (SDM) 2.3 can be written by performing these steps:

  1. Detect non-compliant HTTP traffic.

  2. Check if you want SDM to examine HTTP traffic for packets that do not comply
    with the HTTP protocol.

  3. Use the permit, block, and alarm controls to specify the action that the router takes when this type of traffic is encountered.

    Note: Blocking non-compliant HTTP traffic can cause the router to drop
    traffic from popular websites that might not be blocked on the basis of
    content if those websites do not conform to the HTTP protocol.

To issue the strict-http command through SDM, perform these steps:

  1. Click Configure, and task Firewall and ACL.

  2. Click on the Application Security tab, and click on HTTP.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents