Trellix Intrusion Prevention System doesn't parse Layer 7 data correctly
Last Modified: 2024-01-24 10:03:56 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Trellix Intrusion Prevention System doesn't parse Layer 7 data correctly
Technical Articles ID:
KB93045
Last Modified: 2024-01-24 10:03:56 Etc/GMT Environment
Trellix Intrusion Prevention System
Problem 1
When you view the attack log, you see that the Manager SM displays status codes as .1 200 instead of 200. Packet captures report the HTTP Host header as empty. But, the Manager attack logs populate an incorrect HTTP Host field. Cause
The Webserver doesn't send HTTP Requests in a proper format. When the Webserver sends a malformed request, it can't parse it. For example: Host: Connection: close In this request, you can see that the HTTP version in the GET request is HTTP1.1 instead of HTTP/1.1 Solution
The Manager is working as designed. If there are malformed HTTP requests, the Manager can't parse the information correctly. Affected ProductsLanguages:This article is available in the following languages: |
|