[Sidewinder] Sidewinder Digest, Vol 57, Issue 2
Sidewinder moderated discussion list
sidewinder at adeptech.com
Wed Nov 4 12:10:59 EST 2009
Hello,
We don't get many http protocol violations (under 6.1.02.06).
Under the "Web" Application Defenses, the "default" web application defense, we only have "URL Control" turned on.
All of the Selected HTTP Commands are allowed. "Strict URLs" is not checked. We do require the HTTP version be included. The Maximum URL Length is 1024.
Most http protocol violations I see are due to length.
Bob
-----Original Message-----
From: sidewinder-bounces at adeptech.com [mailto:sidewinder-bounces at adeptech.com] On Behalf Of sidewinder-request at adeptech.com
Sent: Wednesday, November 04, 2009 11:00 AM
To: sidewinder at adeptech.com
Subject: Sidewinder Digest, Vol 57, Issue 2
Send Sidewinder mailing list submissions to
sidewinder at adeptech.com
To subscribe or unsubscribe via the World Wide Web, visit
http://mail.adeptech.com/mailman/listinfo/sidewinder
or, via email, send a message with subject or body 'help' to
sidewinder-request at adeptech.com
You can reach the person managing the list at
sidewinder-owner at adeptech.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Sidewinder digest..."
Today's Topics:
1. Protocol violations (Sidewinder moderated discussion list)
2. Re: Protocol violations (Sidewinder moderated discussion list)
3. Re: Protocol violations (Sidewinder moderated discussion list)
4. Re: Protocol violations (Sidewinder moderated discussion list)
5. Re: Protocol violations (Sidewinder moderated discussion list)
6. Re: Protocol violations (Sidewinder moderated discussion list)
7. Re: Protocol violations (Sidewinder moderated discussion list)
----------------------------------------------------------------------
Message: 1
Date: Tue, 3 Nov 2009 18:03:57 -0500
From: Sidewinder moderated discussion list <sidewinder at adeptech.com>
Subject: [Sidewinder] Protocol violations
To: sidewinder at adeptech.com
Message-ID:
<9cf1ed360911031503g171207e1sb7580d1e12fd5ddb at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
We have just implemented a sidewinder firewall and are experiencing numerous
"protocol violations" for http traffic. I understand from talking to
support that there is not a way to tune protocol violations,
it's apparently all or nothing (use an http proxy and get the violations or
use an IP filter rule or maybe a generic proxy and don't get any
protocol-aware proxy benefits). I'm wondering how other people deal with
this on two fronts: a.) how do you reduce all the noise generated by these
log messages and b.) how do you deal with sites that are required for
business purposes but that have some aspect of them broken because they fail
to strictly follow RFCs and thus generate protocol violations? Today was
our first day in production and we identified 3 sites that we couldn't
submit "plain" html forms through because something on the pages generated
protocol violations.
I'm dealing with it now by creating a TCP filter rule "above" my main http
proxy rule and specifying a net group that I then add members to as the
complaints come in. Obviously not very efficient. I understand and
appreciate what the sidewinder is doing but to me it seems like there should
be some way to fine-tune which protocol violations get flagged and/or which
ones end up dropping the traffic (something like what is done to configure
IDS signatures/responses).
Am I just missing something?
------------------------------
Message: 2
Date: Tue, 3 Nov 2009 19:45:29 -0800
From: Sidewinder moderated discussion list <sidewinder at adeptech.com>
Subject: Re: [Sidewinder] Protocol violations
To: sidewinder at adeptech.com
Message-ID:
<a9f4a3860911031945w6898e82byed51f784b612a462 at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
On Tue, Nov 3, 2009 at 15:03, Sidewinder moderated discussion list
<sidewinder at adeptech.com> wrote:
> We have just implemented a sidewinder firewall and are experiencing numerous
> "protocol violations" for http traffic. ?I understand from talking to
> support that there is not a way to tune protocol violations,
> it's apparently all or nothing (use an http proxy and get the violations or
> use an IP filter rule or maybe a generic proxy and don't get any
> protocol-aware proxy benefits). ?I'm wondering how other people deal with
> this on two fronts: a.) how do you reduce all the noise generated by these
> log messages and b.) how do you deal with sites that are required for
> business purposes but that have some aspect of them broken because they fail
> to strictly follow RFCs and thus generate protocol violations? ?Today was
> our first day in production and we identified 3 sites that we couldn't
> submit "plain" html forms through because something on the pages generated
> protocol violations.
>
> I'm dealing with it now by creating a TCP filter rule "above" my main http
> proxy rule and specifying a net group that I then add members to as the
> complaints come in. ?Obviously not very efficient. ?I understand and
> appreciate what the sidewinder is doing but to me it seems like there should
> be some way to fine-tune which protocol violations get flagged and/or which
> ones end up dropping the traffic (something like what is done to configure
> IDS signatures/responses).
>
> Am I just missing something?
I'm no expert, but I believe you're not missing anything.
I'm doing basically the same thing - creating an exceptions list for
sites that users have a business need to be visiting. I've had
complaints, and have had to point to the RFCs any number of times.
It's incredibly annoying for the users, but I've never taken it out on
them, because they expect it to "just work", and I don't really blame
them.
However, if I ever get some web designers alone in an alley some day...
BTW - wait until you get random denials while users try to download
PDFs. I've had to drop a couple of directives in squid to make it work
better. I'm at home at the moment, and can't remember the two I had to
filter out - something about "if not changed since" or something like
that, and one other. The version of squid I had didn't filter them,
though it advertised that it did, but the current versions (3.17 and
later, IIRC) of squid fixes that.
Kurt
------------------------------
Message: 3
Date: Wed, 4 Nov 2009 08:01:26 -0500
From: Sidewinder moderated discussion list <sidewinder at adeptech.com>
Subject: Re: [Sidewinder] Protocol violations
To: sidewinder at adeptech.com
Message-ID:
<8878e3ce0911040501x4d765e49h5b1b42017d9bad17 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
I'm not in front of the sidewinder but I believe that there is an
option to relax the rules. Make sure that this is checked.
On Tue, Nov 3, 2009 at 6:03 PM, Sidewinder moderated discussion list
<sidewinder at adeptech.com> wrote:
> We have just implemented a sidewinder firewall and are experiencing numerous
> "protocol violations" for http traffic. ?I understand from talking to
> support that there is not a way to tune protocol violations,
> it's apparently all or nothing (use an http proxy and get the violations or
> use an IP filter rule or maybe a generic proxy and don't get any
> protocol-aware proxy benefits). ?I'm wondering how other people deal with
> this on two fronts: a.) how do you reduce all the noise generated by these
> log messages and b.) how do you deal with sites that are required for
> business purposes but that have some aspect of them broken because they fail
> to strictly follow RFCs and thus generate protocol violations? ?Today was
> our first day in production and we identified 3 sites that we couldn't
> submit "plain" html forms through because something on the pages generated
> protocol violations.
>
> I'm dealing with it now by creating a TCP filter rule "above" my main http
> proxy rule and specifying a net group that I then add members to as the
> complaints come in. ?Obviously not very efficient. ?I understand and
> appreciate what the sidewinder is doing but to me it seems like there should
> be some way to fine-tune which protocol violations get flagged and/or which
> ones end up dropping the traffic (something like what is done to configure
> IDS signatures/responses).
>
> Am I just missing something?
> _______________________________________________
> Sidewinder mailing list
> Sidewinder at adeptech.com
> http://mail.adeptech.com/mailman/listinfo/sidewinder
>
------------------------------
Message: 4
Date: Wed, 4 Nov 2009 08:59:54 -0500
From: Sidewinder moderated discussion list <sidewinder at adeptech.com>
Subject: Re: [Sidewinder] Protocol violations
To: sidewinder at adeptech.com
Message-ID:
<9cf1ed360911040559ia87e640t9a4592b1abc160e6 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
That's what I'm looking for but I can't see it anywhere. If you can track
it down please let me know where it is.
After my initial post it also occurred to me that Microsoft ISA Server
(software firewall) as early as 2004 had the ability to specify which parts
of protocol RFCs to enforce/ignore. Surely there must be a way to dial it
down if we don't have the need to enforce certain aspects.
Jason
On Wed, Nov 4, 2009 at 8:01 AM, Sidewinder moderated discussion list <
sidewinder at adeptech.com> wrote:
> I'm not in front of the sidewinder but I believe that there is an
> option to relax the rules. Make sure that this is checked.
>
> On Tue, Nov 3, 2009 at 6:03 PM, Sidewinder moderated discussion list
> <sidewinder at adeptech.com> wrote:
> > We have just implemented a sidewinder firewall and are experiencing
> numerous
> > "protocol violations" for http traffic. I understand from talking to
> > support that there is not a way to tune protocol violations,
> > it's apparently all or nothing (use an http proxy and get the violations
> or
> > use an IP filter rule or maybe a generic proxy and don't get any
> > protocol-aware proxy benefits). I'm wondering how other people deal with
> > this on two fronts: a.) how do you reduce all the noise generated by
> these
> > log messages and b.) how do you deal with sites that are required for
> > business purposes but that have some aspect of them broken because they
> fail
> > to strictly follow RFCs and thus generate protocol violations? Today was
> > our first day in production and we identified 3 sites that we couldn't
> > submit "plain" html forms through because something on the pages
> generated
> > protocol violations.
> >
> > I'm dealing with it now by creating a TCP filter rule "above" my main
> http
> > proxy rule and specifying a net group that I then add members to as the
> > complaints come in. Obviously not very efficient. I understand and
> > appreciate what the sidewinder is doing but to me it seems like there
> should
> > be some way to fine-tune which protocol violations get flagged and/or
> which
> > ones end up dropping the traffic (something like what is done to
> configure
> > IDS signatures/responses).
> >
> > Am I just missing something?
> > _______________________________________________
> > Sidewinder mailing list
> > Sidewinder at adeptech.com
> > http://mail.adeptech.com/mailman/listinfo/sidewinder
> >
> _______________________________________________
> Sidewinder mailing list
> Sidewinder at adeptech.com
> http://mail.adeptech.com/mailman/listinfo/sidewinder
>
------------------------------
Message: 5
Date: Wed, 4 Nov 2009 08:10:25 -0600
From: Sidewinder moderated discussion list <sidewinder at adeptech.com>
Subject: Re: [Sidewinder] Protocol violations
To: "'sidewinder at adeptech.com'" <sidewinder at adeptech.com>
Message-ID:
<0288F718808D8A4B9108CAA5EE507D0D95CA60DC35 at MEWMAD0PC02G01.accounts.wistate.us>
Content-Type: text/plain; charset="us-ascii"
RE: Protocol violations: We have also had to add some exception sites because of this issue. The most common protocol error we have seen is web application servers that send HTML along with response codes for which there is not supposed to be any HTML. (IBM's WebSphere application server does that, at least in some versions).
JRJ
------------------------------
Message: 6
Date: Wed, 4 Nov 2009 09:50:29 -0600
From: Sidewinder moderated discussion list <sidewinder at adeptech.com>
Subject: Re: [Sidewinder] Protocol violations
To: "'sidewinder at adeptech.com'" <sidewinder at adeptech.com>
Message-ID:
<0288F718808D8A4B9108CAA5EE507D0D95CA60DC3E at MEWMAD0PC02G01.accounts.wistate.us>
Content-Type: text/plain; charset="us-ascii"
At least in V6, the only place is in the Application Defenses ("Web" by default) -- and all it allows which side you relax enforcement for (Client or Server).
(... and don't call me Shirley ... ;^) )
> After my initial post it also occurred to me that Microsoft ISA Server
>(software firewall) as early as 2004 had the ability to specify which parts
>of protocol RFCs to enforce/ignore. Surely there must be a way to dial it
>down if we don't have the need to enforce certain aspects.
------------------------------
Message: 7
Date: Wed, 4 Nov 2009 11:01:03 -0500
From: Sidewinder moderated discussion list <sidewinder at adeptech.com>
Subject: Re: [Sidewinder] Protocol violations
To: sidewinder at adeptech.com
Message-ID:
<9cf1ed360911040801p6f389998h9886e2a4598b59a6 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Yes, I think that's exactly what I'm looking for (weird that support knew
exactly what I was talking about but didn't suggest this to fix it). I'll
try it and see if it works. Thanks!
On Wed, Nov 4, 2009 at 10:50 AM, Sidewinder moderated discussion list <
sidewinder at adeptech.com> wrote:
> At least in V6, the only place is in the Application Defenses ("Web" by
> default) -- and all it allows which side you relax enforcement for (Client
> or Server).
>
> (... and don't call me Shirley ... ;^) )
>
> > After my initial post it also occurred to me that Microsoft ISA Server
> >(software firewall) as early as 2004 had the ability to specify which
> parts
> >of protocol RFCs to enforce/ignore. Surely there must be a way to dial it
> >down if we don't have the need to enforce certain aspects.
> _______________________________________________
> Sidewinder mailing list
> Sidewinder at adeptech.com
> http://mail.adeptech.com/mailman/listinfo/sidewinder
>
------------------------------
_______________________________________________
Sidewinder mailing list
Sidewinder at adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
End of Sidewinder Digest, Vol 57, Issue 2
*****************************************
More information about the Sidewinder
mailing list