This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
johnnyringo
Advisor
‎2023-07-24 06:19 PM

illegal header format detected: invalid header field

Having a specific HTTP POST request being blocked with the following in the message:

 

 

BlockHttpNonProtocolCompliant
Protocol Anomaly HTTP
illegal header format detected: invalid header field

 

 

Is there anything in the logs or some type of debug command that would show more details about the header?  I'm hesitant to disable features or make system-wide workarounds; fixing how the application is configured would be the preferred work-around.

Pulling a packet capture just would be a needle in a haystack problem because these only represents 0.001% of all requests to the service.   

0 Kudos
9 Replies
_Val_
Admin
Admin
‎2023-07-25 12:10 AM

Traffic capture should show the header details

0 Kudos
johnnyringo
Advisor
‎2023-07-25 04:19 PM
In response to _Val_

I assume that has to be performed in real-time as the error occurs? 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-07-25 11:13 AM

If some attribute of this traffic is known ahead of time (IP address, etc.) you could set up a triggered packet capture to grab the traffic so you can analyze it: Max Capture Update 1: Taking "Triggered" Packet Captures.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
johnnyringo
Advisor
‎2023-07-25 04:19 PM
In response to Timothy_Hall

Source and destination IP will always be the same.  So it only helps if I can trigger based on a specific URL 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-07-25 04:26 PM
In response to johnnyringo

You can do that, in your custom observable created to match the traffic and start the capture simply specify type "URL" and the URL in question.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
the_rock
Legend
Legend
‎2023-07-25 07:38 PM
In response to johnnyringo

You can do below fw monitor example 

say src ip is 1.1.1.1 and dst is 2.2.2.2 and dst port is 443, it would look something like below

fw monitor -F "1.1.1.1,0,2.2.2.2,443,0" -F "2.2.2.2,0,1.1.1.1,443,0"

It goes by "srcip,srcport,dstip,dstport, protocol" and they you can "twist" it the other way around

Hope that helps

Andy

0 Kudos
johnnyringo
Advisor
‎2023-07-26 11:33 AM
In response to the_rock

yeah, this is what diamond support provided.  

I'm suspecting it's something really stupid like an invalid character in the header name or a missing': ' between the name and its value.  So the first link is somewhat helpful as this is a possible cause.

0 Kudos
the_rock
Legend
Legend
‎2023-07-26 11:36 AM
In response to johnnyringo

That would make sense.

0 Kudos
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events