Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
722
Views
4
Helpful
3
Replies

Unencrypted SSL Traffic

t.clark
Level 1
Level 1

‎07-31-2007 11:22 AM - edited ‎03-10-2019 03:43 AM

I have see a couple of alerts from my IDSM for signature 6005/0 "Unencrypted SSL Traffic." The target ip address is one of my ssl proxy ip addresses (on CSM-S) tcp port 443. An example of the unencrypted traffic sent:

GET http://www.yahoo.com/ HTTP/1.1.

I have seen 4 such triggers today (each to different url's) from the same "attacker" ip address. Can anyone tell me how or why this would be happening? Is this a possible bug with a web browser? Does anyone have a suggestion for where I can do further research on this?

Thanks

Labels:
0 Helpful
3 Replies 3

mhellman
Level 7
Level 7

‎07-31-2007 06:49 PM

Interesting. The signature itself is pretty self explanatory and not normally very useful...for example you can trigger it using the following URL.

http://www.yahoo.com:443

Generally, I consider this benign. However, context matters. Isn't your CSM-S basically a reverse proxy that sits in front of your web servers? So, are you seeing this on an IDS in front of the CSM and the target IP is an IP address on the CSM?

If they were looking for an open proxy, it would be a CONNECT request. Or am I completely off and you actually having users using this as a forward proxy to get to the Internet?

0 Helpful

t.clark
Level 1
Level 1
In response to mhellman

‎08-01-2007 05:15 AM

The CSM-S sits in front of web servers and acts a 'reverse proxy' for those web servers. This is not a forward proxy for allowing users to access the internet.

The IDS is in front of the CSM-S, so the IDS is reporting a client with a connection to mywebsite.com:443 sending an unencrypted HTTP GET request for www.yahoo.com.

I am also inclined to consider this benign, but I wanted to get some other input because it is so strange.

0 Helpful

mhellman
Level 7
Level 7
In response to t.clark

‎08-01-2007 08:23 AM

"so the IDS is reporting a client with a connection to mywebsite.com:443 sending an unencrypted HTTP GET request for www.yahoo.com"

that's the bit that is unusual. It is somewhat more interesting because it's not your own client->Internet traffic. I can't imagine how that could happen accidentially, someone would have to craft it(i.e. modify the HOST header).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card