Page Cannot Be Displayed Error After Enabling CGI/Authentication (Problem Solved -- Cisco IDS to Blame)

Slade Edmonds slade at cryptoflow.net
Sun May 9 23:47:13 CEST 2004

Previous message: Page Cannot Be Displayed Error After Enabling CGI/Authentication
Next message: check_tcp works from CLI, not in nagios
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Slade Edmonds wrote:

> Hi, running Nagios 1.2 on Debian.  After I enabled CGI authentication, 
> I commonly encounter 'This Page Cannot Be Displayed' in IE and 
> 'Document Contains No Data' in Mozilla.  Prior to that there were no 
> issues.  The main Nagios interfaces shows just fine.  The problem only 
> affects links to the menu items on the left pane such as status 
> detail, host detail, etc.  Also, in IE I can right-click the links and 
> open them in a new window and they come up just fine.  I did find FAQ 
> ID F0222 submitted by Jack Yao and adjusted my config accordingly, 
> still resulting in the same problems.  I've double-checked my configs 
> a few times over and nothing seems out of order.  Any ideas what might 
> be going on?
> Thanks
>
> Slade
>
Hello, I was able to figure out what was causing the failure.  If you 
are running your Nagios box behind a Cisco running IOS/ firewall feature 
set and you have enabled Intrusion Detection in that feature set, you 
will possibly run in to the same behavior.  There's an audit rule 
numbered 5055 in IOS 12.3 called HTTP_BASIC_AUTH_OVFLOW_SIG.  I happened 
to check my Cisco logs (they're sent to a syslog daemon) and found the 
following entry:

May  9 17:16:18 hostname.blah.net/hostname.blah.net 35834: 3w3d: 
%IDS-4-HTTP_BASIC_AUTH_OVFLOW_SIG: Sig:5055:HTTP Basic Authentication 
Overflow - from source.ip.add.ress to destination.ip.add.ress

I disabled this audit rule to solve the problems described in the 
original mailing.   The IOS config looks like this:

ip inspect name ncinspect ftp timeout 60
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip audit notify log
ip audit po max-events 100
ip audit signature 2000 disable
ip audit signature 5055 disable <----- disable 
HTTP_BASIC_AUTH_OVFLOW_SIG ----->
ip audit name AUDIT.1 info list 99 action alarm drop reset
ip audit name AUDIT.1 attack list 98 action alarm drop reset

The Apache running is version 1.3.29.

Cheers,

Slade


-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver
higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: Page Cannot Be Displayed Error After Enabling CGI/Authentication
Next message: check_tcp works from CLI, not in nagios
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list