CSC-SSM cannot block file transferred over HTTP

Unanswered Question
Sep 14th, 2008
User Badges:

Hi,


I'm using the CSC-SSM module on our ASA 5510. All the functions on the module are working, except the file blocking function, for example executable files over HTTP are not being blocked even if we set it to.

Any suggestions or help is appreciated.


FYI, the software version of CSC module is 6.1.1519 upgraded with the batch file b-6.1-b1519-1 and it has the Plus license.


Thanks,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Mon, 09/15/2008 - 05:47
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

in this case u need to use ASA policies that nspect http and port misuse


Test for HTTP port cloaking:

Firewall(config-http-map)# port-misuse {default | im | p2p | tunnelling}

action {allow | drop | reset} [log]

HTTP port cloaking is used to transport traffic from a non‐HTTP application over the standard HTTP

port. These applications appear to use regular HTTP, as if they were web‐based applications. The

firewall can detect some misuses of the HTTP port by examining the entire contents of each HTTP

packet.

You can use one of the following keywords to detect a specific tunneling application:

• im- Instant messaging applications. In PIX 7.0, only Yahoo Messenger is detected.

• p2p- Peer‐to‐peer applications. In PIX 7.0, Kazaa and Gnutella can be detected.

• tunnelling- Data from arbitrary applications is tunneled inside HTTP request messages to

bypass normal firewalls. In PIX 7.0, the following tunneling applications can be detected:

o HTTPort/HTTHost- http://www.htthost.com

o GNU Httptunnel- http://www.nocrew.org/software/httptunnel.html



o GotoMyPC- http://www.gotomypc.com

o Firethru Fire Extinguisher- http://www.firethru.com

o Http‐tunnel.com Client- http://www.http‐tunnel.com

If the application is detected, the corresponding action is taken: allow the packet to pass, drop the

packet, or reset the HTTP connection.

You can also use the default keyword to define an action to be taken for any HTTP port misuse

application that is not one of the keywords listed.

You can repeat this command to define multiple applications to detect.

For example, the following commands reset connections if a peer‐to‐peer application, a tunneling

application, or any other unrecognized port‐cloaking application is detected. Only instant messaging

applications are allowed to pass through.

Firewall(config)# http-map Filter_http

Firewall(config-http-map)# port-misuse im action allow

Firewall(config-http-map)# port-misuse default action reset log

Firewall(config-http-map)# exit


aslo have a look at the following link regarding http misuse:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml


good luck


if helpful Rate



robertson.michael Mon, 09/15/2008 - 07:05
User Badges:
  • Silver, 250 points or more

I would recommend upgrading to 6.2.1599.4. You can do this upgrade without any outage (only the CSC module will reload--not the ASA) and you will benefit from a countless number of bug fixes.


You will first need to upgrade to 6.2.1599.0, and then apply the 6.2.1599.4 patch.


-Mike

Actions

This Discussion