cancel
Showing results for 
Search instead for 
Did you mean: 
chirs.moon
Level 7

MWG does not send ICAP request properly.

Hello.

Recently, I have been trying to connect with McAfee Web Gateway as a ICAP client and AV scanner as a ICAP server.

It seems no problem communicating each other.

But, MWG does not send HTTP respond body data to ICAP server.

I have no idea why this problem happened.

I attached some capture file which 192.168.0.120(MWG) received HTTP respond packet from web server and give it to ICAP server(192.168.0.110) but there is no data in sending packet.

Anyone knows what cause this problem?

패킷 손실.jpg

0 Kudos
2 Replies
eelsasser
Level 15

Re: MWG does not send ICAP request properly.

Your ICAP server is not responding properly. The ICAP request is correct.

The ICAP server is specifying Preview: 0 in the OPTIONS command.

When MWG is honoring that by sending the preview with a 0 byte body in the response body terminated by \r\n0\r\n

The ICAP server is supposed to respond with ICAP/1.0 100 Continue in order to receive the remaining data. There are still 68 bytes left to send.

The correct conversation should look like this:

RESPMOD icap://192.168.2.23:1344/respmod ICAP/1.0
Host: 192.168.2.23
Encapsulated: req-hdr=0, res-hdr=413, res-body=719
Preview: 0
X-Client-IP: 192.168.2.8
Allow: 204

GET http://www.eicar.org/download/eicar.com.txt HTTP/1.1
DNT: 1
Host: www.eicar.org
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.eicar.org/85-0-Download.html
Cache-Control: max-age=0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.5
X-Forwarded-For: 192.168.2.8

HTTP/1.1 200 OK
Date: Tue, 29 Dec 2015 14:58:34 GMT
Server: Apache
X-Cache: MISS from 192.168.2.231
Connection: Keep-Alive
Keep-Alive: timeout=15, max=100
Content-Type: application/octet-stream
Cache-control: private
Content-length: 68
Content-disposition: attachment; filename="eicar.com.txt"

0

ICAP/1.0 100 Continue
ISTag: "00004459-2.41.130-00008028"

44
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
0

ICAP/1.0 200 OK
ISTag: "00004459-2.41.130-00008028"
Encapsulated: res-hdr=0, res-body=38
(ICAP Response Headers)

HTTP/1.0 430 Blocked
Content-Length: XX

(HTTP Response Body)
0

The ICAP server is prematurely terminating the session based on thinking that \r\n0\r\n is the end of the entire request, which it is not. The Content-length needs to finish sending.

If you can get the ICAP server to send a larger value in the preview response on the OPTIONS command (like 256 bytes), you will see  the entire body coming though in the preview and see the blocked response. However, that is not a long term solution. The ICAP server has to correctly conform to the protocol in order to work properly.

0 Kudos
chirs.moon
Level 7

Re: MWG does not send ICAP request properly.

Thanks for replying.

As you said, the problem was handling preview icap request.

I asked this issue to AV scanner's vendor.

So.. thank you for helping me.

Happy new year!

0 Kudos