Why is IPS blocking some clients

Why is IPS blocking some clients
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Why is IPS blocking some clients Tom 10-23-2006
Posted by Tom on October 23, 2006, 10:44 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I have created a very simple test form on my site for recreating a
problem where some of my customers cannot submit data to my site. It
appears that their Intrusion Prevension Systems are detecting a problem
and blocking the POST submission. However, they can't figure out what
the problem is, and in two cases their IT people don't have the time to
help.

The test form is http://www.sygration.com/cgi-bin/banana64

If you are running an IPS/IDS, please try the form. The failures were
occurring on the Submit. If it fails, please let me know that the
reason your IPS/IDS gives.

Thank you for helping, Tom


Posted by Sebastian Gottschalk on October 23, 2006, 11:05 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Tom wrote:

> I have created a very simple test form on my site for recreating a
> problem where some of my customers cannot submit data to my site. It
> appears that their Intrusion Prevension Systems are detecting a problem
> and blocking the POST submission.

That's exactly the problem why IPS are bullshit: Whereas IDS only give
indications, IPS take such indications as the bare truth and act
unconditionally.

> The test form is http://www.sygration.com/cgi-bin/banana64

Most likely it's because the POST message is very big and regular. The
encoding as multipart/form-data might add up to the indications as well.

Posted by Tom on October 23, 2006, 4:03 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

Sebastian Gottschalk wrote:
> That's exactly the problem why IPS are bullshit: Whereas IDS only give
> indications, IPS take such indications as the bare truth and act
> unconditionally.
>
> > The test form is http://www.sygration.com/cgi-bin/banana64
>
> Most likely it's because the POST message is very big and regular. The
> encoding as multipart/form-data might add up to the indications as well.

The test form is tiny -- the returned POST is only about 2kB.
Did you try it? This seems to be the best group that would have some
IPS running and can look at their logs to tell me what is causing the
problem.

Tom


Posted by Sebastian Gottschalk on October 23, 2006, 4:13 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Tom wrote:

>> Most likely it's because the POST message is very big and regular. The
>> encoding as multipart/form-data might add up to the indications as well.
>
> The test form is tiny -- the returned POST is only about 2kB.

Try to measure the size in number of fields. And become aware that these
are quite many fields for a simple form.

> Did you try it?

No, I'm not running such bullshit. My job usually only consists of giving
good examples why they're nonsense and uninstalling them.

Posted by Tom on October 24, 2006, 9:29 am
If you were  Registered and logged in, you could reply and use other advanced thread options

Sebastian Gottschalk wrote:
> Tom wrote:
>
> >> Most likely it's because the POST message is very big and regular. The
> >> encoding as multipart/form-data might add up to the indications as well.
> >
> > The test form is tiny -- the returned POST is only about 2kB.
>
> Try to measure the size in number of fields. And become aware that these
> are quite many fields for a simple form.

It only has 24 fields, corresponding to a form that would have hours
1-24. Even a single-field form caused problems when the user submitted
enough text in the field to require 2 or more network packets to send.

>
> > Did you try it?
>
> No, I'm not running such bullshit. My job usually only consists of giving
> good examples why they're nonsense and uninstalling them.

Fortunately (I think) the problem is only seen by users that are on the
other side of an IPS (of certain models perhaps). I need to know what
it is about the form (or my site) that is causing the problem with
these IPS's, and I too do not run one to know.

Anyone else that has an IPS, if you can try the site and let me know
what error you may receive from your IPS/IDS log would be greatly
appreciated.

(Test form remains at http://www.sygration.com/cgi-bin/banana64 )

Let me know if there is another service or forum better suited for my
request.

Thanks, Tom


Similar ThreadsPosted
Blocking MSN and other IM clients in corporate firewalls February 16, 2005, 6:35 am
Multiple Cisco Clients April 12, 2007, 2:37 pm
'Huge' number of wireless clients.. May 12, 2005, 9:39 pm
Sonicwall and Windows VPN clients co-existing October 16, 2005, 9:02 pm
Cisco VPN on a PIX525 (no gateway for clients) June 7, 2006, 8:50 am
Connection specific DNS suffix not assigned to VPN clients April 8, 2006, 1:29 am
3rd Party VPN Clients connecting to Cisco PIX firewall November 8, 2006, 7:36 am
PIX : provide Internet access to VPN clients without split tunnel December 16, 2004, 1:01 pm
Re: Unable to browse network drives via over VPN on Vista clients January 20, 2008, 1:22 pm
Re: Unable to browse network drives via over VPN on Vista clients April 30, 2008, 3:20 am

The site map in XML format XML site map

Contact Us | Privacy Policy