Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Prashan_Attanay
Collaborator

IPS Non Compliant HTTP

Checkmates,

We by-pass the IPS for our internal network with the option of "Non compliant HTTP". But still "....../..ReturnSubmissionBS.svc" reject from IPS

What is reason for that ?

0 Kudos
5 Replies
Pedro_Espindola
Advisor

Hello Prashan

I'm not sure I understand your question. "Non-compliant HTTP" protection does what the name says: prevents HTTP connections which are not compliant with protocol standards. Other protections for HTTP connections will still apply.

The prevention is happening for the "GNU Bash Remote Code Execution" protection. You can bypass that on your internal network.

Prashan_Attanay
Collaborator

Thank you, i think you understood the question. 

"GNU Bash Remote Code Execution" uses http as i noticed, so then how does it prevent from IPS if we are using "Non-compliant HTTP" ?

0 Kudos
Pedro_Espindola
Advisor

"Non compliant HTTP" protection will inspect the header. "GNU Bash Remote Code Execution" inspects the content.

When you disable "Non compliant HTTP" protection it will no longer drop connections with a non compliant header, but the other protections will still inspect the rest of the data for exploit attempts. That is what is happening. Your IPS is not looking for non compliant connections anymore, but it is still looking for malicious signatures such as "GNU Bash Remote Code Execution".

If you want to bypass inspection for all HTTP connections you can create an exception rule setting source and destination as your internal network and http as the service.

SP: GNU Bash Remote Code execution is a Critical severity and High confidence protection. If you don't know why this is happening you should investigate.

Pedro_Espindola
Advisor

Just to clarify:

There is no hierarchy between those 2 protections. Your connection may be fully compliant with HTTP and at the same time contain the "GNU Bash Remote Code Execution" signature.

Non compliant HTTP connections may not always be malicious. It simply means that the header was not formatted as specified by the RFC. This may be caused by a problem with the website. In some cases this can be exploited, that is why you have that protection.

Other protections in "inspection settings" are also focused on basic protocol structure. You may tweak them to prevent the use of native protocol features that may make an attackers life easier. However, this doesn't mean that you are being attacked every time you see a prevention log.

Protections under "IPS protections, on the other hand, are much more closely related to malicious traffic, even though there are many false positives.

Prashan_Attanay
Collaborator

Thanks Pedro Smiley Happy 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events