The firewall has detected incorrect usage of HTTP.
Details
The firewall manages the following HTTP protocols :
- HTTP 1.0 : Hypertext Transfer Protocol (HTTP) is an application-layer protocol light and fast enough for the transmission of distributed documents and multimedia through a multi-user information system. HTTP has been used on the World Wide Web's initiative since 1990.
- HTTP 1.1 : an extension of HTTP 1.0 which provides improvements connection-wise and compression-wise,
- ShoutCast : allows the real-time broadcast of audio media on the Internet,
- ICAP 1.0 : Internet Content Adaptation Protocol, allows the adaptation of HTTP requests received by services offered by a web server.
Each of these protocols works according to the standards defined in the RFC. Invalid usage of these protocols will set off an alarm. .
If this alarm is configured as pass and if a packet that triggers the alarms is received, the corresponding plugin will detach from the connection and no further protocol analysis will be performed.
Triggering conditions
A packet containing invalid usage of HTTP has been detected.
Complements
The context of the "Invalid HTTP protocol" alarm is detailed by the following additional message :
"shoutcast disabled"
The use of Shoutcast is not authorized.
"version"
HTTP version that the plugin does not analyze.
"operation"
HTTP command that the plugin does not analyze.
"missing proxy host"
Proxy request does not contain the host name.
"invalid request"
The HTTP request is invalid.
"no pending request"
There has not been any request for this response (a response must ALWAYS be accompanied by a prior request).
"return code"
The server returns an invalid code.
"invalid result"
The server returns an invalid status.
"invalid header format"
The HTTP analysis has signaled that a field in the header is invalid.
"client data after request"
The client sent some data after its request, while he should not have e.g. some data after a GET request.
"denied operation"
The operation is denied by configuration.
"null char in request"
A null char was detected in a request.
"null char in request body"
A null character was detected in a request body.
"content length"
The Content-Length header value is invalid.
"null char in reply"
A null character was detected in a reply.
"null char in reply body"
A null character was detected in a reply body.
"shoutcast interleave"
The icy-metaint header value is invalid.
"null char in cookie"
A null character was detected in a cookie.
"null char in set-cookie"
A null character was detected in a set-cookie.
"null char in chunk len"
A null character was detected in the length of a chunk.
"chunked len empty"
The length of a chunk is 0.
"chunked len format"
The format of the length of a chunk is invalid.
"chunk data found instead of crlf"
Chunk data were found instead of CRLF.
"null char in chunk footer"
A null character was found in the length of the last chunk.
"chunk data found instead of footer"
Chunk data were found instead of an empty last chunk.
"version mismatch with upgrade header"
The upgrade header is only available in HTTP / 1.1.
"rfc6455 invalid protocol version"
The websocket protocol version is invalid.
"invalid transfer encoding value"
The encoding value used for the transfer is invalid.
"invalid Sec-WebSocket-Key"
The Sec-WebSocket-Key must be in base64.
"invalid connection header field value"
An error in the connection field has been detected.
"invalid Sec-WebSocket-Accept"
The Sec-WebSocket-Accept must be in base64.
"rfc6455 empty subprotocol"
Sec-WebSocket-Protocol must be present in the header.
"invalid content encoding value"
The encoding value used for the content is invalid.
"Authorization Negotiate"
Restriction on the header's "Authorization: Negociate" field exceeded.
"Authorization NTLM"
Restriction on the header's "Authorization: NTLM" field exceeded.
"null char in chunk crlf"
An ASCII character '0' was detected in the CRLF character sequence.
