Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

HTTP Connect Tunnel (5237)

Hi,

can anyone explain clearly this signature plz ? when does it fire ?

if i am seeing for example this signature fires from x.x.x.x to my mail server y.y.y.y:25 HTTP, what does this mean ?

thank you

2 REPLIES
Gold

Re: HTTP Connect Tunnel (5237)

Generally speaking, HTTP connect tunnels are used by HTTP proxies to support SSL connections from browsers. The HTTP proxy basically acts as a TCP level proxy, and it doesn't care about the application layer. What this means is that just about any application can be tunneled.

see:

http://www.kb.cert.org/vuls/id/150227

There have been numerous instances where applications allowed this kind of behavior.

http://www.securityfocus.com/bid/4131/info

http://www.securityfocus.com/bid/4131/discuss

I have seen these attempts on port 25 and I'm not quite sure what the point is. Perhaps there was an SMTP service that had this problem? Or, the script is just crap. The more typical use would be to connect to an HTTP proxy (like on port 80 or 8080) and to attempt a "CONNECT mail.yourdomain.com 25" so that I can send SPAM anonymously.

Bronze

Re: HTTP Connect Tunnel (5237)

This alert will trigger when users establish WebEx meetings, and also for services like GoToMyPC. I've blocked any access to GoToMyPC using ACLs (inbound and outbound), but have to leave WebEx open since there's a business justification.

I'd check the IP address in question, and if it looks OK just add a Filter to prevent the alert.

I'd also suggest doing Log Pair Packets and running the results through WireShark. You'll get much more of the exchange and (hopefully) figure out if its malicious or not.

I'm hoping to get to the point where I can block this outright (except for WebEx), but I'm not quite there yet.

436
Views
0
Helpful
2
Replies
CreatePlease login to create content