[prev in list] [next in list] [prev in thread] [next in thread]
List: sidewinder
Subject: Re: [Sidewinder] Sidewinder Digest, Vol 57, Issue 2
From: Sidewinder moderated discussion list <sidewinder () adeptech ! com>
Date: 2009-11-04 17:10:59
Message-ID: 0768BCB116CBE34BBBFCB9A3EDCAD364EEDDEBF062 () MEWMAD0PC02G05 ! accounts ! wistate ! us
[Download RAW message or body]
Hello,
We don't get many http protocol violations (under 6.1.02.06).
Under the "Web" Application Defenses, the "default" web application defense, we only \
have "URL Control" turned on.
All of the Selected HTTP Commands are allowed. "Strict URLs" is not checked. We do \
require the HTTP version be included. The Maximum URL Length is 1024.
Most http protocol violations I see are due to length.
Bob
-----Original Message-----
From: sidewinder-bounces@adeptech.com [mailto:sidewinder-bounces@adeptech.com] On \
Behalf Of sidewinder-request@adeptech.com
Sent: Wednesday, November 04, 2009 11:00 AM
To: sidewinder@adeptech.com
Subject: Sidewinder Digest, Vol 57, Issue 2
Send Sidewinder mailing list submissions to
sidewinder@adeptech.com
To subscribe or unsubscribe via the World Wide Web, visit
http://mail.adeptech.com/mailman/listinfo/sidewinder
or, via email, send a message with subject or body 'help' to
sidewinder-request@adeptech.com
You can reach the person managing the list at
sidewinder-owner@adeptech.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Sidewinder digest..."
Today's Topics:
1. Protocol violations (Sidewinder moderated discussion list)
2. Re: Protocol violations (Sidewinder moderated discussion list)
3. Re: Protocol violations (Sidewinder moderated discussion list)
4. Re: Protocol violations (Sidewinder moderated discussion list)
5. Re: Protocol violations (Sidewinder moderated discussion list)
6. Re: Protocol violations (Sidewinder moderated discussion list)
7. Re: Protocol violations (Sidewinder moderated discussion list)
----------------------------------------------------------------------
Message: 1
Date: Tue, 3 Nov 2009 18:03:57 -0500
From: Sidewinder moderated discussion list <sidewinder@adeptech.com>
Subject: [Sidewinder] Protocol violations
To: sidewinder@adeptech.com
Message-ID:
<9cf1ed360911031503g171207e1sb7580d1e12fd5ddb@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
We have just implemented a sidewinder firewall and are experiencing numerous
"protocol violations" for http traffic. I understand from talking to
support that there is not a way to tune protocol violations,
it's apparently all or nothing (use an http proxy and get the violations or
use an IP filter rule or maybe a generic proxy and don't get any
protocol-aware proxy benefits). I'm wondering how other people deal with
this on two fronts: a.) how do you reduce all the noise generated by these
log messages and b.) how do you deal with sites that are required for
business purposes but that have some aspect of them broken because they fail
to strictly follow RFCs and thus generate protocol violations? Today was
our first day in production and we identified 3 sites that we couldn't
submit "plain" html forms through because something on the pages generated
protocol violations.
I'm dealing with it now by creating a TCP filter rule "above" my main http
proxy rule and specifying a net group that I then add members to as the
complaints come in. Obviously not very efficient. I understand and
appreciate what the sidewinder is doing but to me it seems like there should
be some way to fine-tune which protocol violations get flagged and/or which
ones end up dropping the traffic (something like what is done to configure
IDS signatures/responses).
Am I just missing something?
------------------------------
Message: 2
Date: Tue, 3 Nov 2009 19:45:29 -0800
From: Sidewinder moderated discussion list <sidewinder@adeptech.com>
Subject: Re: [Sidewinder] Protocol violations
To: sidewinder@adeptech.com
Message-ID:
<a9f4a3860911031945w6898e82byed51f784b612a462@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
On Tue, Nov 3, 2009 at 15:03, Sidewinder moderated discussion list
<sidewinder@adeptech.com> wrote:
> We have just implemented a sidewinder firewall and are experiencing numerous
> "protocol violations" for http traffic. ?I understand from talking to
> support that there is not a way to tune protocol violations,
> it's apparently all or nothing (use an http proxy and get the violations or
> use an IP filter rule or maybe a generic proxy and don't get any
> protocol-aware proxy benefits). ?I'm wondering how other people deal with
> this on two fronts: a.) how do you reduce all the noise generated by these
> log messages and b.) how do you deal with sites that are required for
> business purposes but that have some aspect of them broken because they fail
> to strictly follow RFCs and thus generate protocol violations? ?Today was
> our first day in production and we identified 3 sites that we couldn't
> submit "plain" html forms through because something on the pages generated
> protocol violations.
>
> I'm dealing with it now by creating a TCP filter rule "above" my main http
> proxy rule and specifying a net group that I then add members to as the
> complaints come in. ?Obviously not very efficient. ?I understand and
> appreciate what the sidewinder is doing but to me it seems like there should
> be some way to fine-tune which protocol violations get flagged and/or which
> ones end up dropping the traffic (something like what is done to configure
> IDS signatures/responses).
>
> Am I just missing something?
I'm no expert, but I believe you're not missing anything.
I'm doing basically the same thing - creating an exceptions list for
sites that users have a business need to be visiting. I've had
complaints, and have had to point to the RFCs any number of times.
It's incredibly annoying for the users, but I've never taken it out on
them, because they expect it to "just work", and I don't really blame
them.
However, if I ever get some web designers alone in an alley some day...
BTW - wait until you get random denials while users try to download
PDFs. I've had to drop a couple of directives in squid to make it work
better. I'm at home at the moment, and can't remember the two I had to
filter out - something about "if not changed since" or something like
that, and one other. The version of squid I had didn't filter them,
though it advertised that it did, but the current versions (3.17 and
later, IIRC) of squid fixes that.
Kurt
------------------------------
Message: 3
Date: Wed, 4 Nov 2009 08:01:26 -0500
From: Sidewinder moderated discussion list <sidewinder@adeptech.com>
Subject: Re: [Sidewinder] Protocol violations
To: sidewinder@adeptech.com
Message-ID:
<8878e3ce0911040501x4d765e49h5b1b42017d9bad17@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
I'm not in front of the sidewinder but I believe that there is an
option to relax the rules. Make sure that this is checked.
On Tue, Nov 3, 2009 at 6:03 PM, Sidewinder moderated discussion list
<sidewinder@adeptech.com> wrote:
> We have just implemented a sidewinder firewall and are experiencing numerous
> "protocol violations" for http traffic. ?I understand from talking to
> support that there is not a way to tune protocol violations,
> it's apparently all or nothing (use an http proxy and get the violations or
> use an IP filter rule or maybe a generic proxy and don't get any
> protocol-aware proxy benefits). ?I'm wondering how other people deal with
> this on two fronts: a.) how do you reduce all the noise generated by these
> log messages and b.) how do you deal with sites that are required for
> business purposes but that have some aspect of them broken because they fail
> to strictly follow RFCs and thus generate protocol violations? ?Today was
> our first day in production and we identified 3 sites that we couldn't
> submit "plain" html forms through because something on the pages generated
> protocol violations.
>
> I'm dealing with it now by creating a TCP filter rule "above" my main http
> proxy rule and specifying a net group that I then add members to as the
> complaints come in. ?Obviously not very efficient. ?I understand and
> appreciate what the sidewinder is doing but to me it seems like there should
> be some way to fine-tune which protocol violations get flagged and/or which
> ones end up dropping the traffic (something like what is done to configure
> IDS signatures/responses).
>
> Am I just missing something?
> _______________________________________________
> Sidewinder mailing list
> Sidewinder@adeptech.com
> http://mail.adeptech.com/mailman/listinfo/sidewinder
>
------------------------------
Message: 4
Date: Wed, 4 Nov 2009 08:59:54 -0500
From: Sidewinder moderated discussion list <sidewinder@adeptech.com>
Subject: Re: [Sidewinder] Protocol violations
To: sidewinder@adeptech.com
Message-ID:
<9cf1ed360911040559ia87e640t9a4592b1abc160e6@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
That's what I'm looking for but I can't see it anywhere. If you can track
it down please let me know where it is.
After my initial post it also occurred to me that Microsoft ISA Server
(software firewall) as early as 2004 had the ability to specify which parts
of protocol RFCs to enforce/ignore. Surely there must be a way to dial it
down if we don't have the need to enforce certain aspects.
Jason
On Wed, Nov 4, 2009 at 8:01 AM, Sidewinder moderated discussion list <
sidewinder@adeptech.com> wrote:
> I'm not in front of the sidewinder but I believe that there is an
> option to relax the rules. Make sure that this is checked.
>
> On Tue, Nov 3, 2009 at 6:03 PM, Sidewinder moderated discussion list
> <sidewinder@adeptech.com> wrote:
> > We have just implemented a sidewinder firewall and are experiencing
> numerous
> > "protocol violations" for http traffic. I understand from talking to
> > support that there is not a way to tune protocol violations,
> > it's apparently all or nothing (use an http proxy and get the violations
> or
> > use an IP filter rule or maybe a generic proxy and don't get any
> > protocol-aware proxy benefits). I'm wondering how other people deal with
> > this on two fronts: a.) how do you reduce all the noise generated by
> these
> > log messages and b.) how do you deal with sites that are required for
> > business purposes but that have some aspect of them broken because they
> fail
> > to strictly follow RFCs and thus generate protocol violations? Today was
> > our first day in production and we identified 3 sites that we couldn't
> > submit "plain" html forms through because something on the pages
> generated
> > protocol violations.
> >
> > I'm dealing with it now by creating a TCP filter rule "above" my main
> http
> > proxy rule and specifying a net group that I then add members to as the
> > complaints come in. Obviously not very efficient. I understand and
> > appreciate what the sidewinder is doing but to me it seems like there
> should
> > be some way to fine-tune which protocol violations get flagged and/or
> which
> > ones end up dropping the traffic (something like what is done to
> configure
> > IDS signatures/responses).
> >
> > Am I just missing something?
> > _______________________________________________
> > Sidewinder mailing list
> > Sidewinder@adeptech.com
> > http://mail.adeptech.com/mailman/listinfo/sidewinder
> >
> _______________________________________________
> Sidewinder mailing list
> Sidewinder@adeptech.com
> http://mail.adeptech.com/mailman/listinfo/sidewinder
>
------------------------------
Message: 5
Date: Wed, 4 Nov 2009 08:10:25 -0600
From: Sidewinder moderated discussion list <sidewinder@adeptech.com>
Subject: Re: [Sidewinder] Protocol violations
To: "'sidewinder@adeptech.com'" <sidewinder@adeptech.com>
Message-ID:
<0288F718808D8A4B9108CAA5EE507D0D95CA60DC35@MEWMAD0PC02G01.accounts.wistate.us>
Content-Type: text/plain; charset="us-ascii"
RE: Protocol violations: We have also had to add some exception sites because of \
this issue. The most common protocol error we have seen is web application servers \
that send HTML along with response codes for which there is not supposed to be any \
HTML. (IBM's WebSphere application server does that, at least in some versions).
JRJ
------------------------------
Message: 6
Date: Wed, 4 Nov 2009 09:50:29 -0600
From: Sidewinder moderated discussion list <sidewinder@adeptech.com>
Subject: Re: [Sidewinder] Protocol violations
To: "'sidewinder@adeptech.com'" <sidewinder@adeptech.com>
Message-ID:
<0288F718808D8A4B9108CAA5EE507D0D95CA60DC3E@MEWMAD0PC02G01.accounts.wistate.us>
Content-Type: text/plain; charset="us-ascii"
At least in V6, the only place is in the Application Defenses ("Web" by default) -- \
and all it allows which side you relax enforcement for (Client or Server).
(... and don't call me Shirley ... ;^) )
> After my initial post it also occurred to me that Microsoft ISA Server
> (software firewall) as early as 2004 had the ability to specify which parts
> of protocol RFCs to enforce/ignore. Surely there must be a way to dial it
> down if we don't have the need to enforce certain aspects.
------------------------------
Message: 7
Date: Wed, 4 Nov 2009 11:01:03 -0500
From: Sidewinder moderated discussion list <sidewinder@adeptech.com>
Subject: Re: [Sidewinder] Protocol violations
To: sidewinder@adeptech.com
Message-ID:
<9cf1ed360911040801p6f389998h9886e2a4598b59a6@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Yes, I think that's exactly what I'm looking for (weird that support knew
exactly what I was talking about but didn't suggest this to fix it). I'll
try it and see if it works. Thanks!
On Wed, Nov 4, 2009 at 10:50 AM, Sidewinder moderated discussion list <
sidewinder@adeptech.com> wrote:
> At least in V6, the only place is in the Application Defenses ("Web" by
> default) -- and all it allows which side you relax enforcement for (Client
> or Server).
>
> (... and don't call me Shirley ... ;^) )
>
> > After my initial post it also occurred to me that Microsoft ISA Server
> > (software firewall) as early as 2004 had the ability to specify which
> parts
> > of protocol RFCs to enforce/ignore. Surely there must be a way to dial it
> > down if we don't have the need to enforce certain aspects.
> _______________________________________________
> Sidewinder mailing list
> Sidewinder@adeptech.com
> http://mail.adeptech.com/mailman/listinfo/sidewinder
>
------------------------------
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
End of Sidewinder Digest, Vol 57, Issue 2
*****************************************
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic