Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Unencrypted SSL Traffic

I have see a couple of alerts from my IDSM for signature 6005/0 "Unencrypted SSL Traffic." The target ip address is one of my ssl proxy ip addresses (on CSM-S) tcp port 443. An example of the unencrypted traffic sent:


I have seen 4 such triggers today (each to different url's) from the same "attacker" ip address. Can anyone tell me how or why this would be happening? Is this a possible bug with a web browser? Does anyone have a suggestion for where I can do further research on this?



Re: Unencrypted SSL Traffic

Interesting. The signature itself is pretty self explanatory and not normally very useful...for example you can trigger it using the following URL.

Generally, I consider this benign. However, context matters. Isn't your CSM-S basically a reverse proxy that sits in front of your web servers? So, are you seeing this on an IDS in front of the CSM and the target IP is an IP address on the CSM?

If they were looking for an open proxy, it would be a CONNECT request. Or am I completely off and you actually having users using this as a forward proxy to get to the Internet?

New Member

Re: Unencrypted SSL Traffic

The CSM-S sits in front of web servers and acts a 'reverse proxy' for those web servers. This is not a forward proxy for allowing users to access the internet.

The IDS is in front of the CSM-S, so the IDS is reporting a client with a connection to sending an unencrypted HTTP GET request for

I am also inclined to consider this benign, but I wanted to get some other input because it is so strange.


Re: Unencrypted SSL Traffic

"so the IDS is reporting a client with a connection to sending an unencrypted HTTP GET request for"

that's the bit that is unusual. It is somewhat more interesting because it's not your own client->Internet traffic. I can't imagine how that could happen accidentially, someone would have to craft it(i.e. modify the HOST header).

CreatePlease to create content