cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
jfi
Level 7

Annoying problem with User-Defined variable

Jump to solution

Hi all,

We have an annoying problem for which we can't seem to find a workaround. Our Web Gateway receives traffic from another proxy, the other proxy is adding a http header field called "From" to the HTTP CONNECT request, and setting the user-id as value in this "From" Header.

At the start of the ruleset the Web Gateway extracts this value and places it in a User-Defined variable : Set User-Defined.USERID = Header.Get ("From)".

So we're logging all requests, and using this variable to log the userid, but for most logged requests this field is empty. We've confirmed, with packet captures, that 100% of the HTTP CONNECTS arriving on the Web Gateway have a valid user-id in the "From" header.

When debugging it with rule tracing, it seems like only the cycle with initial http connect is able to read the header and the user-id is correctly logged. But all following requests (HTTP GET's inside the connection created with the HTTP CONNECT I assume?) come up empty when trying to read the "From" header.

The other proxy is also putting the client IP in the X-Forwarded-for header. Our Web Gateway extracts this via the event -> set User-Defined.iClientIP=Client.IP. In the rule tracing we see that this User-Defined variable is always correctly fetched and nicely written in the log, even for the loglines were the user-id is empty. 

So the Web Gateway seems to store the X-Forwarded-for value in the Client.IP for the duration of the "entire" connection, and we are able to read it during the multiple cycles of that connection, and our Header.Get ("From") seems to be valid only during the very first request cycle.

Does someone know a way to store our user-id over the course of an entire connection? So that we can write it in each logline? Or some other workaround to get the user-id on each logline?

Thanks,
Joeri

 

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Annoying problem with User-Defined variable

Jump to solution

Hi Joeri,

I know this problem very well! You've explored it pretty thoroughly.

User-Defined Properties only last for the given transaction, in the case of an SSL connection, the CONNECT is a separate transaction from the traffic inside the tunnel, so thats why the User-Defined Property doesnt stick.

To workaround, this you can use other properies which are more sticky.

  • Client.IP
  • Most Authentication.* properties (assuming Authentication.IsAuthenticated is set to true)
  • 7.8.1 includes new properties for this scenario called "Connection.Variables", you can use them in events

For your scenario, you're trying to set a property called "USERID", so I'm assuming this is the username? If so, you could just store the "From" header in the Authentication.Username property, and set Authentication.IsAuthenticated = true and the value will be stored for the entire connection.

Here's a quick example of it:2018-05-04_161630.png

 

The criteria checks to see if the user is already authenticated, if the "From" header exists, and if the connection is coming from a trusted IP (otherwise anyone could insert a "From" header and impersonate someone else.

In the event, I set Authentication.IsAuthenticated to true (this tells MWG to hold the Username for the whole connection), then I set the username to whatever is in the "From" header (assuming its a plaintext string). And finally I remove the "From" header so its not set to any upstream or internet services.

Hope that helps.

Best Regards,

Jon

2 Replies
McAfee Employee

Re: Annoying problem with User-Defined variable

Jump to solution

Hi Joeri,

I know this problem very well! You've explored it pretty thoroughly.

User-Defined Properties only last for the given transaction, in the case of an SSL connection, the CONNECT is a separate transaction from the traffic inside the tunnel, so thats why the User-Defined Property doesnt stick.

To workaround, this you can use other properies which are more sticky.

  • Client.IP
  • Most Authentication.* properties (assuming Authentication.IsAuthenticated is set to true)
  • 7.8.1 includes new properties for this scenario called "Connection.Variables", you can use them in events

For your scenario, you're trying to set a property called "USERID", so I'm assuming this is the username? If so, you could just store the "From" header in the Authentication.Username property, and set Authentication.IsAuthenticated = true and the value will be stored for the entire connection.

Here's a quick example of it:2018-05-04_161630.png

 

The criteria checks to see if the user is already authenticated, if the "From" header exists, and if the connection is coming from a trusted IP (otherwise anyone could insert a "From" header and impersonate someone else.

In the event, I set Authentication.IsAuthenticated to true (this tells MWG to hold the Username for the whole connection), then I set the username to whatever is in the "From" header (assuming its a plaintext string). And finally I remove the "From" header so its not set to any upstream or internet services.

Hope that helps.

Best Regards,

Jon

jfi
Level 7

Re: Annoying problem with User-Defined variable

Jump to solution

Thanks Jon, using these properties solved the problem! I assumed these properties couldn't be used when the MWG itself didn't do the the authentication.

Thanks!

0 Kudos