[Sidewinder] Protocol violations

Sidewinder moderated discussion list sidewinder at adeptech.com
Tue Nov 3 22:45:29 EST 2009 

On Tue, Nov 3, 2009 at 15:03, Sidewinder moderated discussion list
<sidewinder at adeptech.com> wrote:
> We have just implemented a sidewinder firewall and are experiencing numerous
> "protocol violations" for http traffic.  I understand from talking to
> support that there is not a way to tune protocol violations,
> it's apparently all or nothing (use an http proxy and get the violations or
> use an IP filter rule or maybe a generic proxy and don't get any
> protocol-aware proxy benefits).  I'm wondering how other people deal with
> this on two fronts: a.) how do you reduce all the noise generated by these
> log messages and b.) how do you deal with sites that are required for
> business purposes but that have some aspect of them broken because they fail
> to strictly follow RFCs and thus generate protocol violations?  Today was
> our first day in production and we identified 3 sites that we couldn't
> submit "plain" html forms through because something on the pages generated
> protocol violations.
>
> I'm dealing with it now by creating a TCP filter rule "above" my main http
> proxy rule and specifying a net group that I then add members to as the
> complaints come in.  Obviously not very efficient.  I understand and
> appreciate what the sidewinder is doing but to me it seems like there should
> be some way to fine-tune which protocol violations get flagged and/or which
> ones end up dropping the traffic (something like what is done to configure
> IDS signatures/responses).
>
> Am I just missing something?

I'm no expert, but I believe you're not missing anything.

I'm doing basically the same thing - creating an exceptions list for
sites that users have a business need to be visiting. I've had
complaints, and have had to point to the RFCs any number of times.
It's incredibly annoying for the users, but I've never taken it out on
them, because they expect it to "just work", and I don't really blame
them.

However, if I ever get some web designers alone in an alley some day...


BTW - wait until you get random denials while users try to download
PDFs. I've had to drop a couple of directives in squid to make it work
better. I'm at home at the moment, and can't remember the two I had to
filter out - something about "if not changed since" or something like
that, and one other. The version of squid I had didn't filter them,
though it advertised that it did, but the current versions (3.17 and
later, IIRC) of squid fixes that.


Kurt

More information about the Sidewinder mailing list