Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1163 Views 5 Replies Latest reply: Dec 13, 2012 5:35 AM by asabban RSS
Troja Champion 255 posts since
Aug 26, 2010
Currently Being Moderated

Nov 23, 2012 4:38 AM

Qualys Security Scanner strikes down MWG

Hi all,

hase anyone seen the same problem? When a Qualys security scanner scans mwg the systems is running on 100% CPU. After rebooting the system there is also 100% CPU used.

This happens directly after the systems was scanned by the qualys agent.

 

The Access LOG shows the following entry (there are up to 20 entries per second)

[23/Nov/2012:09:27:12 +0100] "" 192.168.10.10 502 "GET http://192.168.10.20:8080/SITEMINDERAGENT/PWCGI/SMPWSERVICESCGI.EXE?TARGET=HTTP: //WWW.QUALYS.COM HTTP/1.1" "Business, Internet Services" "Unverified" "" 2928 223672 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC)" "" "0" ""

 

192.168.10.10 -> physical IP on eth0

192.168.10.20 -> HA VIP on eth0

 

The Acces Denied LOG shows that this request was blocked! But the entries shown above are generated in the access log file.

- A TCP Dump is showing no client connection on MWG

- There is no HTTP traffic visible in the tcpdump

 

For me it seems there is something looping......

 

 

Finally i added this Ruleset and it seems this ends the "loop".... Could this be?

BLock_Qualys.JPG

 

Cheers,

Thorsten

  • asabban McAfee SME 1,354 posts since
    Nov 3, 2009
    Currently Being Moderated
    1. Nov 26, 2012 9:03 AM (in response to Troja)
    Re: Qualys Security Scanner strikes down MWG

    Hello,

     

    it does not make too much sense that the problem persists when a restart was performed. Maybe the request was still queued at the director and handed to the scanning node when it came back after the reboot?

     

    However I strongly recommend to create a feedback of the affected MWG and provide all the information to support. If there is any kind of loop caused by the requests this has to be analyzed, found and fixed by engineering.

     

    Best,

    Andre

  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009
    Currently Being Moderated
    2. Nov 26, 2012 10:24 AM (in response to Troja)
    Re: Qualys Security Scanner strikes down MWG

    I'm guessing you are turning off the via header which may cause the proxy loop.

     

    MWG uses the via header to detect and stop proxy loops.

     

    Perhaps only turn the via header off if the "client.ip is not in range 127.0.0.0/16".

     

    Best,
    Jon

  • asabban McAfee SME 1,354 posts since
    Nov 3, 2009
    Currently Being Moderated
    5. Dec 13, 2012 5:35 AM (in response to Troja)
    Re: Qualys Security Scanner strikes down MWG

    Hi Thorsten,

     

    if not already done are you please able to file a service request?

     

    Please add a tcpdump that shows the start of the security scan to allow us to replicate the problem without having the security scanner. Support will replicate the issue and file a bug with development. They will look at whats happening and fix the issue.

     

    We can't do that from within the community.

     

    Best,

    Andre

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points