2 Replies Latest reply on Dec 30, 2015 6:19 PM by chirs.moon

    MWG does not send ICAP request properly.

    chirs.moon

      Hello.

       

      Recently, I have been trying to connect with McAfee Web Gateway as a ICAP client and AV scanner as a ICAP server.

       

      It seems no problem communicating each other.

       

      But, MWG does not send HTTP respond body data to ICAP server.

       

      I have no idea why this problem happened.

       

      I attached some capture file which 192.168.0.120(MWG) received HTTP respond packet from web server and give it to ICAP server(192.168.0.110) but there is no data in sending packet.

       

      Anyone knows what cause this problem?

       

      패킷 손실.jpg

        • 1. Re: MWG does not send ICAP request properly.

          Your ICAP server is not responding properly. The ICAP request is correct.

          The ICAP server is specifying Preview: 0 in the OPTIONS command.

           

          When MWG is honoring that by sending the preview with a 0 byte body in the response body terminated by \r\n0\r\n

          The ICAP server is supposed to respond with ICAP/1.0 100 Continue in order to receive the remaining data. There are still 68 bytes left to send.

          The correct conversation should look like this:

           

          RESPMOD icap://192.168.2.23:1344/respmod ICAP/1.0
          Host: 192.168.2.23
          Encapsulated: req-hdr=0, res-hdr=413, res-body=719
          Preview: 0
          X-Client-IP: 192.168.2.8
          Allow: 204

           

          GET http://www.eicar.org/download/eicar.com.txt HTTP/1.1
          DNT: 1
          Host: www.eicar.org
          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
          Referer: http://www.eicar.org/85-0-Download.html
          Cache-Control: max-age=0
          Accept-Encoding: gzip, deflate
          Accept-Language: en-US,en;q=0.5
          X-Forwarded-For: 192.168.2.8

           

          HTTP/1.1 200 OK
          Date: Tue, 29 Dec 2015 14:58:34 GMT
          Server: Apache
          X-Cache: MISS from 192.168.2.231
          Connection: Keep-Alive
          Keep-Alive: timeout=15, max=100
          Content-Type: application/octet-stream
          Cache-control: private
          Content-length: 68
          Content-disposition: attachment; filename="eicar.com.txt"

           

          0

           

          ICAP/1.0 100 Continue
          ISTag: "00004459-2.41.130-00008028"

           

          44
          X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
          0

           

          ICAP/1.0 200 OK
          ISTag: "00004459-2.41.130-00008028"
          Encapsulated: res-hdr=0, res-body=38
          (ICAP Response Headers)

           

          HTTP/1.0 430 Blocked
          Content-Length: XX

           

          (HTTP Response Body)
          0

           

          The ICAP server is prematurely terminating the session based on thinking that \r\n0\r\n is the end of the entire request, which it is not. The Content-length needs to finish sending.

          If you can get the ICAP server to send a larger value in the preview response on the OPTIONS command (like 256 bytes), you will see  the entire body coming though in the preview and see the blocked response. However, that is not a long term solution. The ICAP server has to correctly conform to the protocol in order to work properly.

          • 2. Re: MWG does not send ICAP request properly.
            chirs.moon

            Thanks for replying.

             

            As you said, the problem was handling preview icap request.

            I asked this issue to AV scanner's vendor.

             

            So.. thank you for helping me.

             

            Happy new year!