This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Prashan_Attanay
Collaborator
‎2017-11-28 11:28 PM

IPS Non Compliant HTTP

Checkmates,

We by-pass the IPS for our internal network with the option of "Non compliant HTTP". But still "....../..ReturnSubmissionBS.svc" reject from IPS

What is reason for that ?

0 Kudos
5 Replies
Pedro_Espindola
Advisor
‎2017-11-29 03:11 AM

Hello Prashan

I'm not sure I understand your question. "Non-compliant HTTP" protection does what the name says: prevents HTTP connections which are not compliant with protocol standards. Other protections for HTTP connections will still apply.

The prevention is happening for the "GNU Bash Remote Code Execution" protection. You can bypass that on your internal network.

Prashan_Attanay
Collaborator
‎2017-11-29 03:15 AM
In response to Pedro_Espindola

Thank you, i think you understood the question. 

"GNU Bash Remote Code Execution" uses http as i noticed, so then how does it prevent from IPS if we are using "Non-compliant HTTP" ?

0 Kudos
Pedro_Espindola
Advisor
‎2017-11-29 03:27 AM
In response to Prashan_Attanay

"Non compliant HTTP" protection will inspect the header. "GNU Bash Remote Code Execution" inspects the content.

When you disable "Non compliant HTTP" protection it will no longer drop connections with a non compliant header, but the other protections will still inspect the rest of the data for exploit attempts. That is what is happening. Your IPS is not looking for non compliant connections anymore, but it is still looking for malicious signatures such as "GNU Bash Remote Code Execution".

If you want to bypass inspection for all HTTP connections you can create an exception rule setting source and destination as your internal network and http as the service.

SP: GNU Bash Remote Code execution is a Critical severity and High confidence protection. If you don't know why this is happening you should investigate.

Pedro_Espindola
Advisor
‎2017-11-29 03:42 AM
In response to Prashan_Attanay

Just to clarify:

There is no hierarchy between those 2 protections. Your connection may be fully compliant with HTTP and at the same time contain the "GNU Bash Remote Code Execution" signature.

Non compliant HTTP connections may not always be malicious. It simply means that the header was not formatted as specified by the RFC. This may be caused by a problem with the website. In some cases this can be exploited, that is why you have that protection.

Other protections in "inspection settings" are also focused on basic protocol structure. You may tweak them to prevent the use of native protocol features that may make an attackers life easier. However, this doesn't mean that you are being attacked every time you see a prevention log.

Protections under "IPS protections, on the other hand, are much more closely related to malicious traffic, even though there are many false positives.

Prashan_Attanay
Collaborator
‎2017-11-29 07:28 PM
In response to Pedro_Espindola

Thanks Pedro Smiley Happy 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events