Introduction
Application Protocol Inspection Overview
Application Protocol Inspection Example: HTTP Deep Packet Inspection
Conclusion
Resources
The Cisco ACE Application Control Engine Appliance and Module can be an effective means of mitigating network vulnerabilities using Application Protocol Inspection.
This document provides identification techniques that administrators can use on Cisco network devices to identify whether the prevention methods are having the desired effect. The Cisco ACE Application Control Engine Appliance and Module can also provide visibility into potential network attacks through syslog messages and counter values displayed in the output from show commands. The show commands below are examples of output when there are policy maps that match an HTTP URI and an HTTP body.
Application protocol inspection is available for the Cisco ACE Application Control Engine Appliance and Module. This advanced security feature performs deep packet inspection of traffic that transits the Cisco ACE. Administrators can construct an inspection policy for applications that require special handling through the configuration of inspection class maps and inspection policy maps, which are applied via a global or interface service policy.
Additional information about application protocol inspection is in the Configuring Application Protocol Inspection section of the Cisco ACE 4700 Series Appliance Security Configuration Guide.
Cisco ACE Application Control Engine syslog message 415006 will be generated when the URI matches a user-defined regular expression. The syslog message will identify the corresponding HTTP class and HTTP policy and indicate the action applied to the HTTP connection. Additional information about this syslog message is in Cisco ACE 4700 Series Appliance System Message Guide - System Message 415006.
ACE syslog message 415007 will be generated when an HTTP message body matches a user-defined regular expression. The syslog message will identify the corresponding HTTP class and HTTP policy and indicate the action applied to the HTTP connection. Additional information about this syslog message is in Cisco ACE 4700 Series Appliance System Message Guide - System Message 415007.
ACE/Admin# show logging | include 415006
Sep 21 2013 15:26:43: %ACE-5-415006: HTTP - matched MS11-001_class in policy-map L4_http_Policy, URI matched - Resetting connection from vlan130:192.168.60.63/1777 to vlan206:192.0.2.71/80 Connection 0x33 Sep 21 2013 15:30:33: %ACE-5-415006: HTTP - matched MS11-001_class in policy-map L4_http_Policy, URI matched - Resetting connection from vlan130:192.168.60.63/1774 to vlan206:192.0.2.71/80 Connection 0x31ACE/Admin# show logging | include 415007 Sep 21 2013 15:26:43: %ACE-5-415007: HTTP - matched vulnerable_activeX_http_class in policy-map L4_http_Policy, Body matched - Resetting connection from vlan206:192.0.2.94/80 to vlan130:192.168.60.63/1776 Connection 0x3a Sep 21 2013 15:30:33: %ACE-5-415007: HTTP - matched vulnerable_activeX_http_class in policy-map L4_http_Policy, Body matched - Resetting connection from vlan206:192.0.2.94/80 to vlan130:192.168.60.63/1778 Connection 0x3c
When HTTP deep packet inspection is enabled, the show service-policy policyname detail command will identify the number of HTTP connections that are inspected and dropped by this feature. The following example shows output for show service-policy L4_http_Policy detail:
ACE/Admin# show service-policy L4_http_Policy detail Status : ACTIVE Description: ----------------------------------------- Context Global Policy: service-policy: L4_http_Policy class: L4_http_class inspect http: L7 inspect policy : http_Policy Url Logging: DISABLED curr conns : 0 , hit count : 1 dropped conns : 0 client pkt count : 3 , client byte count: 589 server pkt count : 3 , server byte count: 547 conn-rate-limit : 0 , drop-count : 0 bandwidth-rate-limit : 0 , drop-count : 0 L4 policy stats: Total Req/Resp: 4 , Total Allowed: 2 Total Dropped : 2 , Total Logged : 0 L7 Inspect policy : http_Policy class/match : MS11-001_class Inspect action : reset log Total Inspected : 2 , Total Matched: 1 Total Dropped OnError: 0 class/match : vulnerable_activeX_http_class Inspect action : reset log Total Inspected : 2 , Total Matched: 1 Total Dropped OnError: 0In the preceding example, 4 HTTP connections have been inspected and 2 HTTP connections have been dropped.
Additional information about HTTP deep packet inspection and application protocol inspection is in the Configuring Application Protocol Inspection section of the Cisco ACE 4700 Series Appliance Security Configuration Guide.
Conclusion
In summary, network administrators and security engineers can use the vulnerability exploit attempt identification techniques presented in this document to identify other vulnerability exploit attempts. They can be leveraged by using the attack vector characteristics of the vulnerability investigated in place of the example attack vectors used in the document. These techniques help administrators ensure that the exploit attempts do not have any impact on the network.
Resources
- Cisco ACE Application Control Engine Module Documentation
- Cisco Applied Mitigation Bulletins
- Subscribe to Cisco Applied Mitigation Bulletins
- Cisco Security Intelligence Operations
- Cisco Network Foundation Protection White Papers
- Cisco Network Foundation Protection Presentations
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.