Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CSC-SSM cannot block file transferred over HTTP

Hi,

I'm using the CSC-SSM module on our ASA 5510. All the functions on the module are working, except the file blocking function, for example executable files over HTTP are not being blocked even if we set it to.

Any suggestions or help is appreciated.

FYI, the software version of CSC module is 6.1.1519 upgraded with the batch file b-6.1-b1519-1 and it has the Plus license.

Thanks,

3 REPLIES
joe Bronze
Bronze

Re: CSC-SSM cannot block file transferred over HTTP

Please post your ASA config. You will need to re-direct traffic to the CSC with a policy map that has "CSC" commands in the http class.

-Joe

Re: CSC-SSM cannot block file transferred over HTTP

in this case u need to use ASA policies that nspect http and port misuse

Test for HTTP port cloaking:

Firewall(config-http-map)# port-misuse {default | im | p2p | tunnelling}

action {allow | drop | reset} [log]

HTTP port cloaking is used to transport traffic from a non‐HTTP application over the standard HTTP

port. These applications appear to use regular HTTP, as if they were web‐based applications. The

firewall can detect some misuses of the HTTP port by examining the entire contents of each HTTP

packet.

You can use one of the following keywords to detect a specific tunneling application:

• im- Instant messaging applications. In PIX 7.0, only Yahoo Messenger is detected.

• p2p- Peer‐to‐peer applications. In PIX 7.0, Kazaa and Gnutella can be detected.

• tunnelling- Data from arbitrary applications is tunneled inside HTTP request messages to

bypass normal firewalls. In PIX 7.0, the following tunneling applications can be detected:

o HTTPort/HTTHost- http://www.htthost.com

o GNU Httptunnel- http://www.nocrew.org/software/httptunnel.html

o GotoMyPC- http://www.gotomypc.com

o Firethru Fire Extinguisher- http://www.firethru.com

o Http‐tunnel.com Client- http://www.http‐tunnel.com

If the application is detected, the corresponding action is taken: allow the packet to pass, drop the

packet, or reset the HTTP connection.

You can also use the default keyword to define an action to be taken for any HTTP port misuse

application that is not one of the keywords listed.

You can repeat this command to define multiple applications to detect.

For example, the following commands reset connections if a peer‐to‐peer application, a tunneling

application, or any other unrecognized port‐cloaking application is detected. Only instant messaging

applications are allowed to pass through.

Firewall(config)# http-map Filter_http

Firewall(config-http-map)# port-misuse im action allow

Firewall(config-http-map)# port-misuse default action reset log

Firewall(config-http-map)# exit

aslo have a look at the following link regarding http misuse:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml

good luck

if helpful Rate

Re: CSC-SSM cannot block file transferred over HTTP

I would recommend upgrading to 6.2.1599.4. You can do this upgrade without any outage (only the CSC module will reload--not the ASA) and you will benefit from a countless number of bug fixes.

You will first need to upgrade to 6.2.1599.0, and then apply the 6.2.1599.4 patch.

-Mike

191
Views
0
Helpful
3
Replies
CreatePlease to create content