Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Unencrypted SSL Traffic

I have see a couple of alerts from my IDSM for signature 6005/0 "Unencrypted SSL Traffic." The target ip address is one of my ssl proxy ip addresses (on CSM-S) tcp port 443. An example of the unencrypted traffic sent:

GET http://www.yahoo.com/ HTTP/1.1.

I have seen 4 such triggers today (each to different url's) from the same "attacker" ip address. Can anyone tell me how or why this would be happening? Is this a possible bug with a web browser? Does anyone have a suggestion for where I can do further research on this?

Thanks

3 REPLIES
Gold

Re: Unencrypted SSL Traffic

Interesting. The signature itself is pretty self explanatory and not normally very useful...for example you can trigger it using the following URL.

http://www.yahoo.com:443

Generally, I consider this benign. However, context matters. Isn't your CSM-S basically a reverse proxy that sits in front of your web servers? So, are you seeing this on an IDS in front of the CSM and the target IP is an IP address on the CSM?

If they were looking for an open proxy, it would be a CONNECT request. Or am I completely off and you actually having users using this as a forward proxy to get to the Internet?

New Member

Re: Unencrypted SSL Traffic

The CSM-S sits in front of web servers and acts a 'reverse proxy' for those web servers. This is not a forward proxy for allowing users to access the internet.

The IDS is in front of the CSM-S, so the IDS is reporting a client with a connection to mywebsite.com:443 sending an unencrypted HTTP GET request for www.yahoo.com.

I am also inclined to consider this benign, but I wanted to get some other input because it is so strange.

Gold

Re: Unencrypted SSL Traffic

"so the IDS is reporting a client with a connection to mywebsite.com:443 sending an unencrypted HTTP GET request for www.yahoo.com"

that's the bit that is unusual. It is somewhat more interesting because it's not your own client->Internet traffic. I can't imagine how that could happen accidentially, someone would have to craft it(i.e. modify the HOST header).

369
Views
4
Helpful
3
Replies
CreatePlease to create content