Log message on Edge Router-- %APPFW-4-HTTP_STRICT
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2013 05:33 PM - edited 03-07-2019 01:22 PM
Hi Everyone,
We are having issues on our edge router.
Users are having slowness and CPU utilization of edge router is high.
Edge router connects to the internet.
We see these logs again and again on the router
%APPFW-4-HTTP_STRICT_PROTOCOL: Sig:15 HTTP protocol violation detected - HTTP Protocol not detected from 210.x.x.x:35408 to 207.x.x.x:80
Need to know how can i fix this issue?is something wrong with configuration?
Thanks
MAhesh
- Labels:
-
Other Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2013 06:40 PM
Hi Mahesh,
Core issue
This problem occurs because the web site is not RFC compliant.
The Cisco IOS router has the PIX Firewall enabled with the inspect command. The inspection rule has appfw configuration in it, and appfw policy has HTTP application in it. The HTTP application in appfw policy has the strict-http action {reset} command in it.
These logs are observed:
007783: Apr 10 10:08:30.140 PDT: %APPFW-4-HTTP_STRICT_PROTOCOL: Sig:15 HTTP
protocol violation detected - Reset - HTTP Protocol not detected from
10.123.195.67:1261 to 216.148.229.144:80
Response pages coming from www.yahoo.com and its e-mail sites have a mal-formed, chunked encoding scheme. That violates strict-http rules. In particular, the page has a chunk size followed by three spaces before a \r\n combination that violates the strict-http rules. If the action for this rule is to reset, the connection is reset by the firewall, preventing the pages from loading from www.yahoo.com.
Avoid the re-set action with strict-http if you see some pages failing to load.
Resolution
For a workaround, either remove the strict-http command or avoid re-setting connections in it, but include the alarm action.
Writing exceptions for strict-http is impractical. However, a note in Security Device Manager (SDM) 2.3 can be written by performing these steps:
- Detect non-compliant HTTP traffic.
- Check if you want SDM to examine HTTP traffic for packets that do not comply
with the HTTP protocol. - Use the permit, block, and alarm controls to specify the action that the router takes when this type of traffic is encountered.
Note: Blocking non-compliant HTTP traffic can cause the router to drop
traffic from popular websites that might not be blocked on the basis of
content if those websites do not conform to the HTTP protocol.
To issue the strict-http command through SDM, perform these steps:
1. Click Configure, and task Firewall and ACL.
2. Click on the Application Security tab, and click on HTTP.
REf:
https://supportforums.cisco.com/docs/DOC-2368
http://www.technibble.com/forums/showthread.php?t=32272
HTH
Regards
Inayath
*Plz rate all usefull posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2013 08:36 PM
Hi Inayath,
When you say that website is not RFC complaint does this mean this website with IP - to 207.x.x.x:80?
Also Router has same logs that goes from our internal IP to 207.x.x.x?
Need to know why logs keep on repeating?
Thanks
Mahesh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2013 08:53 PM
Hi Inayath,
Also we have this in log
%APPFW-4-HTTP_DEOBFUSCATE: Sig:14 Deobfuscation signature detected - HTTP deobfuscation detected IDS evasion technique from XXXXXXXXXto YYYYYYYYY
Where x is IP in our internal network and YYYYY is different IP as compare to previous log.
Thanks
MAhesh
