cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Application Defense Problems(?)

All- Sorry to "shotgun" so many questions at everyone, but i didnt want to make 3 different posts about this as it could all be the same issue(???).

Background:  Im running 8.3.1, with non-transparent proxy, and none of the controls enabled (url, smartfilter, etc).   I believe the following issues are related to using non-transparent proxying or my application defense itself.

<TCP Unknown>

Ive read the post about this from PhilM and still have a remaining question.   Is the official fix to build a custom application?   This dosent seem like the proper answer as it would appear to me to potientally bypass the proper app defense.   Thoughts?

HTTPS traffic flagged as ISAKMP

Over the past two months we have had problems (simliar on all 12 of our firewalls), where HTTPS traffic is flagged as ISAKMP. This problem went away for a bit after the last application signature update, however it is back! In the event below you can clearly see that the port is 443, however its being flagged as ISAKMP, however it is hitting the appropriate ruleset which only contains HTTP and HTTPS.   

2013-05-31 06:36:52 -0400 f_http_proxy a_libproxycommon t_nettraffic p_major

pid: 1772 logid: 0 cmd: 'httpp' hostname: xxx.x.x event: session end

application: ISAKMP app_risk: low app_categories: tunnels

netsessid: 222aa51a87d44 srcip: x.x.x.x srcport: 54171

srczone: internal protocol: 6 dst_geo: US dstip: x.x.x.x

dstport: 443 dstzone: external bytes_written_to_client: 15979

bytes_written_to_server: 1461 rule_name: Internet Servicesn cache_hit: 1

start_time: 2013-05-31 06:36:52 -0400

URL too long

Some site searches are denied.   The event viewer shows the following (below).   I turned off all of our URL app defenses, smartfilter, etc.   Its pretty much a IP filter at this point but im still getting this error.

2013-05-31 08:01:32 -0400 f_http_proxy a_proxy t_attack p_minor

pid: 1771 logid: 0 cmd: 'httpp' hostname:  xxx.x.x

category: appdef_violation event: request filter netsessid: 268c251a8910c

srcip: x.x.x.x srcport: 10886 srczone: internal dst_local_port: 80

protocol: 6 src_local_port: 0 dst_geo: US dstip: x.x.x.x

dstport: 80 dstzone: external attackip: x.x.x.x attackzone: internal

rule_name: Internet Services

reason: Request denied by request filter: URL too long.

examples:

usairways.com (pick any date and flight and hit search)

burgerking.com  (do a search at the top)

Does anyone have any thoughts.   I contacted support but they were not able to duplicate ANY of these errors.

UPDATE

Shutting off the app defense all together seems to correct both problems.  (defense group, select "none" for http) HTTPS/HTTP traffic is identified correctly and the URL length is no longer a problem.   Indicating that both of these problems are with the http app defense.  

Message was edited by: mathew.d.hailey on 5/31/13 7:35:21 AM CDT

Message was edited by: mathew.d.hailey on 5/31/13 7:45:34 AM CDT

Message was edited by: mathew.d.hailey on 6/7/13 9:24:44 AM CDT
2 Replies
sliedl
Level 14
Report Inappropriate Content
Message 2 of 3

Re: Application Defense Problems(?)

This is actually fixed by a patch.  Please file a Support ticket and we can build you a patch.  This fix will be included in 8.3.2 (although I do not know exactly when that will be released).

Re: Application Defense Problems(?)

Thanks!   I have already forwarded this on to the representative who is assisting me with this issue.  Hopefully the engineering team will send me the patch.  

This patch was added in the latest update.    We are good to go!!!

Message was edited by: mathew.d.hailey on 3/4/14 5:19:13 PM CST
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community