HTTP unknown protocol (HTTP_Unknown_Protocol)

About this signature or vulnerability

RealSecure Desktop, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Server IPS for Linux technology, Proventia Network IPS, RealSecure Desktop Protector 3.6, Proventia Desktop, BlackICE PC Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection, BlackICE Agent for Server, RealSecure Server Sensor, RealSecure Network:

This signature detects 3-way handshake on port 80, followed by a non HTTP compliant request, followed by a non HTTP compliant response.


False negatives

RealSecure Desktop, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Server IPS for Linux technology, Proventia Network IPS, RealSecure Desktop Protector 3.6, Proventia Desktop, BlackICE PC Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection, BlackICE Agent for Server, RealSecure Server Sensor, RealSecure Network: If a tunnelling application uses valid HTTP protocol to deliver content (in example, by using the POST method), then this this signature will not trigger.

Default risk level

Low risk vulnerability  Low

Sensors that have this signature

RealSecure Desktop: eok, Proventia Network MFS: XPU 1.50, Proventia-G 1.1 and earlier: XPU 24.11, Proventia Network IDS: XPU 24.11, Proventia Server IPS for Linux technology: 1.0, Proventia Network IPS: XPU 1.50, RealSecure Desktop Protector 3.6: eok, Proventia Desktop: 8.0.614.8, BlackICE PC Protection: 3.6cpa, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, BlackICE Server Protection: 3.6.cpa, BlackICE Agent for Server: 3.6eok, RealSecure Server Sensor: XPU 24.11, RealSecure Network: XPU 24.11

Systems affected

IETF HTTP/1.1

Type

Protocol Signature

Vulnerability description

HTTP (port 80) can be used to tunnel unwanted traffic through firewalls.Traffic on port 80 that is not HTTP compliant has been detected.

How to remove this vulnerability

This event is for informational purposes only.

References

ISS X-Force
HTTP unknown protocol
http://www.iss.net/security_center/static/21259.php