Support Center > Search Results > SecureKnowledge Details
False positive logs - HTTP traffic that passes through Proxy was rejected by IPS protection 'Non Compliant HTTP' as 'Attack: Block HTTP Non Compliant' Technical Level
Symptoms
  • SmartLog/ SmartView Tracker shows false positive IPS logs for HTTP Response packets with Body that contains CHUNK (http://tools.ietf.org/html/rfc2616#section-3.6.1) and GZIP (http://tools.ietf.org/html/rfc6713) when HTTP traffic passes through Proxy, and IPS 'Non Compliant HTTP' protection and 'Gzip Enforcement' protection are enabled:

    Product: IPS Software Blade
    Action: Reject
    Protection Name: Non Compliant HTTP
    Attack: Block HTTP Non Compliant
    Protection Type: Protocol Anomaly HTTP
    Protection ID: BlockHttpNonProtocolCompliant
    Product Family: Network


  • Kernel debug (fw ctl debug -m WS all) shows:

    .......................
    ;ws_filter_mgr_execute_filter_chain: filter GZIP returned status: CONTINUE;
    .......................
    ;ws_body_stream_resume: forwarding the stream by 6 characters.;
    ;ws_body_stream_resume: [ERROR]: the filter offset (6) is larger than the stream's length (1);
    ;ws_abs_stream_default_set_reading_context: [ERROR]: couldn't resume the stream;
    ;ws_skip_stream_set_reading_context: [ERROR]: ws_abs_stream_set_reading_context failed;
    ;ws_gzip_stream_set_reading_context: [ERROR]: ws_abs_stream_set_reading_context for original zipped stream failed;
    ;ws_filter_mgr_execute_filter_chain: [ERROR]: set filter context to: SIGNATURE, failed;
    ;ws_http_process_body: [ERROR]: failed to execute filter chain;
    ;ws_http_session_server_read: [ERROR]: failed to process body;
    .......................
    ;ws_http_session_format_url_for_logging: logging the URL for the first time;
    ;ws_http_session_make_abs_url_ex: a non-default scheme was found, URL is considered absolute;
    .......................
    ;ws_http_process_http_parsing_error: Calling policy container to process general parser event 3;
    ;appi_global_policy_get_parser_error_action: parser error action is REJECT;
    .......................
Solution
Note: To view this solution you need to Sign In .