Network Prevent for Web HTTPS incidents show as a HTTP incident.
search cancel

Network Prevent for Web HTTPS incidents show as a HTTP incident.

book

Article ID: 281671

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor and Prevent for Web

Issue/Introduction

When files are uploaded to an HTTPS site (e.g. file.io or dlptest.com/https) the incident created is of type HTTP though the URL clearly shows the HTTPS present. 

Cause

The proxy server is providing the Relative URL causing it to fall back to the HTTP protocol that the content is without the hint provided by the URL that it came from https. 

Looking at the WebPrevent_Access0.log from this use case we see the following: 

File: WebPrevent_Access0.log
Date: 28/03/2024 09:44:19
Level: INFO
Host IP: xx.xxx.xx.xx
Auth User: Local://[email protected]
Request Line: POST /wp-admin/admin-ajax.php HTTP/1.1
ICAP Status Code: 204
Request Size: 31218425
Referrer: https://dlptest.com/https-post/
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
Processing Time MS: 6374
Connection Id: 2
Client IP: xxx.xxx.xx.xxx
Client Port: 63743
Action Code: 1
ICAP Method Code: 1
Traffic Source Code: 1
Message UUID: 1A58FF33-01D8-4ADF-8DA1-928C3400BB08
Request Receive Time MS: 851
Transfer Rate: 29 MB/sec
Exclude Reason: 0

Resolution

The DLP Network Prevent for Web detection servers require the full Absolute URL to make the decision on protocol type.

Please contact your proxy vendor to investigate why the proxy is not supplying the full Absolute URL in the ICAP traffic. 

Typically we would see the WebPrevent_Access0.log should show the Absolute URL like this: 

File: WebPrevent_Access0.log
Date: 28/03/2024 09:44:19
Level: INFO
Host IP: xx.xxx.xx.xx
Auth User: Local://[email protected]
Request Line: POST https://dlptest.com/wp-admin/admin-ajax.php HTTP/1.1
ICAP Status Code: 204
Request Size: 31218425
Referrer: https://dlptest.com/https-post/
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
Processing Time MS: 6374
Connection Id: 2
Client IP: xxx.xxx.xx.xxx
Client Port: 63743
Action Code: 1
ICAP Method Code: 1
Traffic Source Code: 1
Message UUID: 1A58FF33-01D8-4ADF-8DA1-928C3400BB08
Request Receive Time MS: 851
Transfer Rate: 29 MB/sec
Exclude Reason: 0

Additional Information

At this time DLP does not use the Referrer URL information during detection. 

Powered by Wolken Software