When a computer is assigned with Intrusion Prevention Rule 1000128 "HTTP Protocol Decoding", the following known issues might be encountered:
- Deep Security Manager (DSM) and Control Manager (TMCM) communication will be blocked.
- The connection issued by WGET command will be blocked.
The DPI Rule "HTTP Protocol Decoding" is triggered for the HTTP POST request below:
POST /webservice/Manager HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Host: 172.21.4.194:4119 Accept: */* Referrer: SOAPAction: "" Content-Length: 331 Content-Type: application/x-www-form-urlencoded <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:Manager"> <soapenv:Header/> <soapenv:Body> <urn:authenticate> <urn:username>masteradmin</urn:username> <urn:password>11111111</urn:password> </urn:authenticate> </soapenv:Body> </soapenv:Envelope>
Since "\x0A" (new line character) is included in the set of illegal characters, the rule is triggered at the end of pattern "urn:Manager".
To resolve the issue, do any of the following:
- Create a bypass rule between DSM and TMCM.
- On the Properties page of IPS Rule 1000128 HTTP Protocol Decoding, go to the Configuration tab and untick Use URI Normalization in body of HTTP POST.