I have see a couple of alerts from my IDSM for signature 6005/0 "Unencrypted SSL Traffic." The target ip address is one of my ssl proxy ip addresses (on CSM-S) tcp port 443. An example of the unencrypted traffic sent:
I have seen 4 such triggers today (each to different url's) from the same "attacker" ip address. Can anyone tell me how or why this would be happening? Is this a possible bug with a web browser? Does anyone have a suggestion for where I can do further research on this?
Generally, I consider this benign. However, context matters. Isn't your CSM-S basically a reverse proxy that sits in front of your web servers? So, are you seeing this on an IDS in front of the CSM and the target IP is an IP address on the CSM?
If they were looking for an open proxy, it would be a CONNECT request. Or am I completely off and you actually having users using this as a forward proxy to get to the Internet?
"so the IDS is reporting a client with a connection to mywebsite.com:443 sending an unencrypted HTTP GET request for www.yahoo.com"
that's the bit that is unusual. It is somewhat more interesting because it's not your own client->Internet traffic. I can't imagine how that could happen accidentially, someone would have to craft it(i.e. modify the HOST header).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :