05-15-2013 05:33 PM - edited 03-07-2019 01:22 PM
Hi Everyone,
We are having issues on our edge router.
Users are having slowness and CPU utilization of edge router is high.
Edge router connects to the internet.
We see these logs again and again on the router
%APPFW-4-HTTP_STRICT_PROTOCOL: Sig:15 HTTP protocol violation detected - HTTP Protocol not detected from 210.x.x.x:35408 to 207.x.x.x:80
Need to know how can i fix this issue?is something wrong with configuration?
Thanks
MAhesh
05-15-2013 06:40 PM
Hi Mahesh,
This problem occurs because the web site is not RFC compliant.
The Cisco IOS router has the PIX Firewall enabled with the inspect command. The inspection rule has appfw configuration in it, and appfw policy has HTTP application in it. The HTTP application in appfw policy has the strict-http action {reset} command in it.
These logs are observed:
007783: Apr 10 10:08:30.140 PDT: %APPFW-4-HTTP_STRICT_PROTOCOL: Sig:15 HTTP
protocol violation detected - Reset - HTTP Protocol not detected from
10.123.195.67:1261 to 216.148.229.144:80
Response pages coming from www.yahoo.com and its e-mail sites have a mal-formed, chunked encoding scheme. That violates strict-http rules. In particular, the page has a chunk size followed by three spaces before a \r\n combination that violates the strict-http rules. If the action for this rule is to reset, the connection is reset by the firewall, preventing the pages from loading from www.yahoo.com.
Avoid the re-set action with strict-http if you see some pages failing to load.
For a workaround, either remove the strict-http command or avoid re-setting connections in it, but include the alarm action.
Writing exceptions for strict-http is impractical. However, a note in Security Device Manager (SDM) 2.3 can be written by performing these steps:
To issue the strict-http command through SDM, perform these steps:
1. Click Configure, and task Firewall and ACL.
2. Click on the Application Security tab, and click on HTTP.
REf:
https://supportforums.cisco.com/docs/DOC-2368
http://www.technibble.com/forums/showthread.php?t=32272
HTH
Regards
Inayath
*Plz rate all usefull posts
05-15-2013 08:36 PM
Hi Inayath,
When you say that website is not RFC complaint does this mean this website with IP - to 207.x.x.x:80?
Also Router has same logs that goes from our internal IP to 207.x.x.x?
Need to know why logs keep on repeating?
Thanks
Mahesh
05-15-2013 08:53 PM
Hi Inayath,
Also we have this in log
%APPFW-4-HTTP_DEOBFUSCATE: Sig:14 Deobfuscation signature detected - HTTP deobfuscation detected IDS evasion technique from XXXXXXXXXto YYYYYYYYY
Where x is IP in our internal network and YYYYY is different IP as compare to previous log.
Thanks
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide