CSC-SSM cannot block file transferred over HTTP

Unanswered Question
Sep 14th, 2008


I'm using the CSC-SSM module on our ASA 5510. All the functions on the module are working, except the file blocking function, for example executable files over HTTP are not being blocked even if we set it to.

Any suggestions or help is appreciated.

FYI, the software version of CSC module is 6.1.1519 upgraded with the batch file b-6.1-b1519-1 and it has the Plus license.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Mon, 09/15/2008 - 05:47

in this case u need to use ASA policies that nspect http and port misuse

Test for HTTP port cloaking:

Firewall(config-http-map)# port-misuse {default | im | p2p | tunnelling}

action {allow | drop | reset} [log]

HTTP port cloaking is used to transport traffic from a non‐HTTP application over the standard HTTP

port. These applications appear to use regular HTTP, as if they were web‐based applications. The

firewall can detect some misuses of the HTTP port by examining the entire contents of each HTTP


You can use one of the following keywords to detect a specific tunneling application:

• im- Instant messaging applications. In PIX 7.0, only Yahoo Messenger is detected.

• p2p- Peer‐to‐peer applications. In PIX 7.0, Kazaa and Gnutella can be detected.

• tunnelling- Data from arbitrary applications is tunneled inside HTTP request messages to

bypass normal firewalls. In PIX 7.0, the following tunneling applications can be detected:

o HTTPort/HTTHost-

o GNU Httptunnel-

o GotoMyPC-

o Firethru Fire Extinguisher-

o Http‐ Client- http://www.http‐

If the application is detected, the corresponding action is taken: allow the packet to pass, drop the

packet, or reset the HTTP connection.

You can also use the default keyword to define an action to be taken for any HTTP port misuse

application that is not one of the keywords listed.

You can repeat this command to define multiple applications to detect.

For example, the following commands reset connections if a peer‐to‐peer application, a tunneling

application, or any other unrecognized port‐cloaking application is detected. Only instant messaging

applications are allowed to pass through.

Firewall(config)# http-map Filter_http

Firewall(config-http-map)# port-misuse im action allow

Firewall(config-http-map)# port-misuse default action reset log

Firewall(config-http-map)# exit

aslo have a look at the following link regarding http misuse:

good luck

if helpful Rate

robertson.michael Mon, 09/15/2008 - 07:05

I would recommend upgrading to 6.2.1599.4. You can do this upgrade without any outage (only the CSC module will reload--not the ASA) and you will benefit from a countless number of bug fixes.

You will first need to upgrade to 6.2.1599.0, and then apply the 6.2.1599.4 patch.



This Discussion