000031041 - WTD web action to POST is not working properly when target server only allows POST method.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031041
Applies ToRSA Product Set: Web Threat Detection
RSA Product/Service Type: Silvertail
RSA Version/Condition: All versions that support 'web' action.
Platform: Linux
Platform (Other): null
O/S Version: Red Hat Enterprise Linux 6.x
Product Name: Silvertail
Product Description: Web Threat Detection
IssueWeb action requires a GET before it can POST data to target server.
When the web action is used in rules before SilverTail/Web Threat Detection will POST the data a GET must first be preformed once to create the {webaction}_cookies.txt file under /var/opt/silvertail/etc/conf.d/ActionServer-*/ path. As long as that file exists then another GET will not be sent to the target server. If the {webaction}_cookies.txt is removed or renamed another GET request will be sent the next time that action is triggered before data can be POST to the target server.
Target servers will some times be locked down to only receive POST actions. If this is the case the target server will either ignore the request or respond with a 405.
Syslog example:
Jun 30 15:45:12 WTD4622 actionserver.py[44439]:Action Folder Watcher:INFO:GET request to http://webserver.test.gdc-rsa.net/POST_test/unprotected
Jun 30 15:45:12 WTD4622 actionserver.py[44439]:Action Folder Watcher:CRITICAL:HTTP Error updating cookie for URL "http://webserver.test.gdc-rsa.net/POST_test/unprotected", 405
Syslog example when a GET is allowed before POST action:
Jul 2 19:52:53 WTD51 actionserver.py[64472]:Action Folder Watcher:INFO:GET request to http://webserver.test.gdc-rsa.net/POST_test/unprotected
Jul 2 19:52:53 WTD51 actionserver.py[64472]:Action Folder Watcher:INFO:POST request to http://webserver.test.gdc-rsa.net/POST_test/unprotected with params balFlag=flag&BA=page&Timestamp=2015-07-03+01%3A52%3A37.041&Rule=Protected_site_POST_test_unprotected&EngineContext=Mitigator&handler=web&User=Not+Available&IP=192.168.107.55&Date=Fri+Jul++3+01%3A52%3A37+2015&BaValue=%2F&Page=%2F
 
Cause SilverTail/WTD needs to have a Cookie to communicate with the target server before POST data can be sent.
ResolutionSetup target server to receive GET request from SilverTail/WTD.
WorkaroundIf Target server can not receive a GET request during normal operation the GET method can be removed after the cookie file has been created in WTD. This will work as long as the {webaction}_cookie.txt file is valid, then GET will need to be allowed again to renew the cookies file.

Attachments

    Outcomes