The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
False positive logs - HTTP traffic that passes through Proxy was rejected by IPS protection 'Non Compliant HTTP' as 'Attack: Block HTTP Non Compliant'
|
Technical Level
|
Solution ID |
sk93824 |
Technical Level |
|
Product |
IPS |
Version |
R75.45 |
Platform / Model |
All |
Date Created |
25-Jul-2013
|
Last Modified |
06-Oct-2013
|
Symptoms
- SmartLog/ SmartView Tracker shows false positive IPS logs for HTTP Response packets with Body that contains CHUNK (http://tools.ietf.org/html/rfc2616#section-3.6.1) and GZIP (http://tools.ietf.org/html/rfc6713) when HTTP traffic passes through Proxy, and IPS '
Non Compliant HTTP
' protection and 'Gzip Enforcement
' protection are enabled:
Product: IPS Software Blade
Action: Reject
Protection Name: Non Compliant HTTP
Attack: Block HTTP Non Compliant
Protection Type: Protocol Anomaly HTTP
Protection ID: BlockHttpNonProtocolCompliant
Product Family: Network
- Kernel debug (
fw ctl debug -m WS all
) shows:
.......................
;ws_filter_mgr_execute_filter_chain: filter GZIP returned status: CONTINUE;
.......................
;ws_body_stream_resume: forwarding the stream by 6 characters.;
;ws_body_stream_resume: [ERROR]: the filter offset (6) is larger than the stream's length (1);
;ws_abs_stream_default_set_reading_context: [ERROR]: couldn't resume the stream;
;ws_skip_stream_set_reading_context: [ERROR]: ws_abs_stream_set_reading_context failed;
;ws_gzip_stream_set_reading_context: [ERROR]: ws_abs_stream_set_reading_context for original zipped stream failed;
;ws_filter_mgr_execute_filter_chain: [ERROR]: set filter context to: SIGNATURE, failed;
;ws_http_process_body: [ERROR]: failed to execute filter chain;
;ws_http_session_server_read: [ERROR]: failed to process body;
.......................
;ws_http_session_format_url_for_logging: logging the URL for the first time;
;ws_http_session_make_abs_url_ex: a non-default scheme was found, URL is considered absolute;
.......................
;ws_http_process_http_parsing_error: Calling policy container to process general parser event 3;
;appi_global_policy_get_parser_error_action: parser error action is REJECT;
.......................
Solution
|
Note: To view this solution you need to
Sign In
.
|