Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Sig 5237 and Cisco Cache Engine

I'm constantly having 5237 alerts on a network.

All alerts for websites with SSL access.

The payload looks the same (on HTTP site, for example <A HREF="javascript:newWin('http://www.example.com):')">www.example.com):</A>

CONNECT <A HREF="javascript:newWin('http://www.example.com:443')">www.example.com:443</A> HTTP1.0

I contacted number of people (sources of attack) and one person told me the attack was originated from Cisco Cache Engine and they reinstalled the software to fix a problem.

Question: Is it a bug or feature in Cisco Cache Engine (to use CONNECT request)? Or normal behavior for proxy servers to work with SSL webservers (try to proxy using HTTP instance first)?

3 REPLIES
Bronze

Re: Sig 5237 and Cisco Cache Engine

So, to clarify, the Cache Engine is making the CONNECT call? Is the Cache Engine configured to use an upstream proxy of some kind? The CONNECT method is used between a proxy client and server. If the Cache Engine is issuing CONNECT requests, my guess is that it is configured to use an upstream proxy to make the actual SSL requests. If this is the case, it is normal behavior. If the Cache Engine is not using a proxy, then I'd say it's unusal.

New Member

Re: Sig 5237 and Cisco Cache Engine

I don't know all the specifics, but as soon as I put the signature level which included this one, I guess S18 or 19, I started getting thousands of alarms to\from our proxy on this alarm. Called Tac was advised to filter on the proxy for this alarm, so I'm pretty sure ours is the case where it's configured for upstream proxy, which generates all these alarms that fill up the buffer. No problems since I've filtered.

New Member

Re: Sig 5237 and Cisco Cache Engine

Yes, Cache Engine is making the CONNECT call to the SAME_SITE:443.

I have no idea unfortunately how remote Cache Engine is configured because I have requests from a number of sources in Internet.

May be it is default configuration for current or prev. release of Cache Engine to look for Upstream proxy?

Is anyway for me to tune 5237 and ignore CONNECT calls to HTTPS instance and fire alerts on everything else?

I can't disable the signature completely but don't want to react of the alerts from Cache Engines.

206
Views
0
Helpful
3
Replies
CreatePlease login to create content