Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

http method not recognized and ntlm authentication

Does anybody know why ips signatures fire on ntlm authentication proxy? In our environment we have ISA 2004 and the ips is complaining about http not in rfc specs and http not recognized. Is it possible that ips does not understand ntlm proxy authentication?

3 REPLIES
Cisco Employee

Re: http method not recognized and ntlm authentication

can you send me what signatures are firing and a traffic sample that is causing the issue? The sensor understands SMB and MSRPC, but does not do MSRPC over HTML and I wonder if your proxy authentication is implemented this way.

Scott Cothrell

Cisco IPS Dev Team

New Member

Re: http method not recognized and ntlm authentication

The signatures that fire are 12674 and 12676

Cisco Employee

Re: http method not recognized and ntlm authentication

These signatures are policy enforcement signatures. They are firing because the AIC engine has determined that the NTLM proxy application is running a non-web http based protocol on a web port. That will trigger 12674. 12676 is triggered when there is an HTTP request method being seen that is not in the list of acceptable HTTP request methods (listed in 12676 config). Currently, the method list should be considered static, even though it appears that you can add to this list, there are known issues that make updating it unreliable.

I'd look at the alarms to see if either the attacker or victim address is constant. I'm not sure how it will fire, but if one side is consistently the ISA system, then you can probably implement an alarm channel filter to keep those two signatures from firing with the ISA as the attacker/victim. Personally, I'd consider disabling the signatures since they are not compatible with your network policy.

WRT to tuning 12676, the entire AIC engine is being actively worked on to improve its robustness and functionality, though no specific release vehicle has been determined--yet.

168
Views
0
Helpful
3
Replies
CreatePlease to create content