cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
374
Views
0
Helpful
3
Replies

CSC-SSM cannot block file transferred over HTTP

Hi,

I'm using the CSC-SSM module on our ASA 5510. All the functions on the module are working, except the file blocking function, for example executable files over HTTP are not being blocked even if we set it to.

Any suggestions or help is appreciated.

FYI, the software version of CSC module is 6.1.1519 upgraded with the batch file b-6.1-b1519-1 and it has the Plus license.

Thanks,

3 Replies 3

joe19366
Level 1
Level 1

Please post your ASA config. You will need to re-direct traffic to the CSC with a policy map that has "CSC" commands in the http class.

-Joe

Marwan ALshawi
VIP Alumni
VIP Alumni

in this case u need to use ASA policies that nspect http and port misuse

Test for HTTP port cloaking:

Firewall(config-http-map)# port-misuse {default | im | p2p | tunnelling}

action {allow | drop | reset} [log]

HTTP port cloaking is used to transport traffic from a non‐HTTP application over the standard HTTP

port. These applications appear to use regular HTTP, as if they were web‐based applications. The

firewall can detect some misuses of the HTTP port by examining the entire contents of each HTTP

packet.

You can use one of the following keywords to detect a specific tunneling application:

• im- Instant messaging applications. In PIX 7.0, only Yahoo Messenger is detected.

• p2p- Peer‐to‐peer applications. In PIX 7.0, Kazaa and Gnutella can be detected.

• tunnelling- Data from arbitrary applications is tunneled inside HTTP request messages to

bypass normal firewalls. In PIX 7.0, the following tunneling applications can be detected:

o HTTPort/HTTHost- http://www.htthost.com

o GNU Httptunnel- http://www.nocrew.org/software/httptunnel.html

o GotoMyPC- http://www.gotomypc.com

o Firethru Fire Extinguisher- http://www.firethru.com

o Http‐tunnel.com Client- http://www.http‐tunnel.com

If the application is detected, the corresponding action is taken: allow the packet to pass, drop the

packet, or reset the HTTP connection.

You can also use the default keyword to define an action to be taken for any HTTP port misuse

application that is not one of the keywords listed.

You can repeat this command to define multiple applications to detect.

For example, the following commands reset connections if a peer‐to‐peer application, a tunneling

application, or any other unrecognized port‐cloaking application is detected. Only instant messaging

applications are allowed to pass through.

Firewall(config)# http-map Filter_http

Firewall(config-http-map)# port-misuse im action allow

Firewall(config-http-map)# port-misuse default action reset log

Firewall(config-http-map)# exit

aslo have a look at the following link regarding http misuse:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml

good luck

if helpful Rate

I would recommend upgrading to 6.2.1599.4. You can do this upgrade without any outage (only the CSC module will reload--not the ASA) and you will benefit from a countless number of bug fixes.

You will first need to upgrade to 6.2.1599.0, and then apply the 6.2.1599.4 patch.

-Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: