cancel
Showing results for 
Search instead for 
Did you mean: 
malware-alerts
Level 10

CSR 2.1 does not report HTTP 407 status?

Jump to solution

I'd like to generate a report to get some data on which sites triggered the HTTP 407 status the most in my environment in order to build a list of sites that should be made available without authentication.

Unfortunately, it seems that the only HTTP statuses CSR can report on are:

200

204

301

302

304

400

403

404

500

502

Can anyone confirm that or is there something I might be doing wrong?

I did look at the local logs on MWG and I do see plenty of HTTP 407.

Thanks.

Message was edited by: malware-alerts on 6/19/14 1:34:20 PM CDT
0 Kudos
1 Solution

Accepted Solutions
sroering
Level 13

Re: CSR 2.1 does not report HTTP 407 status?

Jump to solution

CSR and Web Reporter do not import lines with 407 status code. The reason is that every TCP connection in that deployment would get a 2nd hit. One before auth, and one after authentication.

So if you want them imported, you'd have the change their status code before writing to the log.

0 Kudos
3 Replies
sroering
Level 13

Re: CSR 2.1 does not report HTTP 407 status?

Jump to solution

CSR and Web Reporter do not import lines with 407 status code. The reason is that every TCP connection in that deployment would get a 2nd hit. One before auth, and one after authentication.

So if you want them imported, you'd have the change their status code before writing to the log.

0 Kudos
McAfee Employee

Re: CSR 2.1 does not report HTTP 407 status?

Jump to solution

It should be noted that just be cause a site has 407 status code associated with it, does not mean that the site would fail to perform authentciation.

See the second post of this thread:

https://community.mcafee.com/message/333935#333935

With NTLM there will be two 407's before a 200.

Best,

Jon

0 Kudos
malware-alerts
Level 10

Re: CSR 2.1 does not report HTTP 407 status?

Jump to solution

Jon, I agree with your statement.

I'm simply trying to pull a report where I can identify the sites that get the most initial connects from the widest amount of users to then be able to take a decision on which of those we could allow without authentication.

Pulling the 407s would have allowed me to export the table in excel and get these numbers (most connects by most amount of users) using a simple pivot table.

I simply ended up exporting the 407s from the raw logs from MWG and doing the calculations in excel so it's all good.

0 Kudos