ASA HTTP strict inspection -- what parameters?

Answered Question
Apr 4th, 2008
User Badges:

I have the violation action set to log but there's no detail... neither the URL nor what's wrong with it. I looked at show asp drop (tcp issues) and show service-policy (just a counter of total protocol violations)... is there detail somewhere?


I can't even find a list of what constitutes a protocol violation... For instance, what's the limit for "excessive URL length"?


Thanks - Al

Correct Answer by pengfang about 9 years 1 week ago

Enhanced HTTP inspection verifies that HTTP messages conform to RFC 2616 http://www.ietf.org/rfc/rfc2616.txt, use RFC-defined methods or supported extension methods, and comply with various other criteria. In many cases, you can configure these criteria and the system response when the criteria are not met which are considered as HTTP protocol violation.


The criteria that you can apply to HTTP messages include the following:


•Does not include any method on a configurable list.

•Specific transfer encoding method or application type.

•HTTP transaction adheres to RFC specification.

•Message body size is within configurable limits.

•Request and response message header size is within a configurable limit.

•URI length is within a configurable limit.

•The content-type in the message body matches the header.

•The content-type in the response message matches the accept-type field in the request message.

•The content-type in the message is included in a predefined internal list.

•Message meets HTTP RFC format criteria.

•Presence or absence of selected supported applications.

•Presence or absence of selected encoding types.


http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1431359


"debug appfw" enables the display of detailed information about application inspection. "undebug all" commands turn off all enabled debug commands.


HTH

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ALAN HARKRADER Fri, 04/11/2008 - 12:55
User Badges:

Oh, it's working... but I don't know what is considered an HTTP protocol violation.

Correct Answer
pengfang Sat, 04/12/2008 - 16:25
User Badges:

Enhanced HTTP inspection verifies that HTTP messages conform to RFC 2616 http://www.ietf.org/rfc/rfc2616.txt, use RFC-defined methods or supported extension methods, and comply with various other criteria. In many cases, you can configure these criteria and the system response when the criteria are not met which are considered as HTTP protocol violation.


The criteria that you can apply to HTTP messages include the following:


•Does not include any method on a configurable list.

•Specific transfer encoding method or application type.

•HTTP transaction adheres to RFC specification.

•Message body size is within configurable limits.

•Request and response message header size is within a configurable limit.

•URI length is within a configurable limit.

•The content-type in the message body matches the header.

•The content-type in the response message matches the accept-type field in the request message.

•The content-type in the message is included in a predefined internal list.

•Message meets HTTP RFC format criteria.

•Presence or absence of selected supported applications.

•Presence or absence of selected encoding types.


http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1431359


"debug appfw" enables the display of detailed information about application inspection. "undebug all" commands turn off all enabled debug commands.


HTH

Actions

This Discussion