WTD web action to POST is not working properly when target server only allows POST method.
Originally Published: 2015-08-24
Article Number
Applies To
RSA Product/Service Type: Silvertail
RSA Version/Condition: All versions that support 'web' action.
Platform: Linux
Platform (Other): null
O/S Version: Red Hat Enterprise Linux 6.x
Product Name: Silvertail
Product Description: Web Threat Detection
Issue
When the web action is used in rules before SilverTail/Web Threat Detection will POST the data a GET must first be preformed once to create the {webaction}_cookies.txt file under /var/opt/silvertail/etc/conf.d/ActionServer-*/ path. As long as that file exists then another GET will not be sent to the target server. If the {webaction}_cookies.txt is removed or renamed another GET request will be sent the next time that action is triggered before data can be POST to the target server.
Target servers will some times be locked down to only receive POST actions. If this is the case the target server will either ignore the request or respond with a 405.
Syslog example:
Jun 30 15:45:12 WTD4622 actionserver.py[44439]:Action Folder Watcher:INFO:GET request to http://webserver.test.gdc-rsa.net/POST_test/unprotected
Jun 30 15:45:12 WTD4622 actionserver.py[44439]:Action Folder Watcher:CRITICAL:HTTP Error updating cookie for URL "http://webserver.test.gdc-rsa.net/POST_test/unprotected", 405
Syslog example when a GET is allowed before POST action:
Jul 2 19:52:53 WTD51 actionserver.py[64472]:Action Folder Watcher:INFO:GET request to http://webserver.test.gdc-rsa.net/POST_test/unprotected
Jul 2 19:52:53 WTD51 actionserver.py[64472]:Action Folder Watcher:INFO:POST request to http://webserver.test.gdc-rsa.net/POST_test/unprotected with params balFlag=flag&BA=page&Timestamp=2015-07-03+01%3A52%3A37.041&Rule=Protected_site_POST_test_unprotected&EngineContext=Mitigator&handler=web&User=Not+Available&IP=192.168.107.55&Date=Fri+Jul++3+01%3A52%3A37+2015&BaValue=%2F&Page=%2F
Cause
Resolution
Workaround
Related Articles
Weblogic agent (identity asserter) does not allow cookie name other than CTSESSION Number of Views ACM-100162 || PV_USER_ALL_ACCESS view does not include custom attributes post 7.1.1 installation Number of Views RSA Identity Governance and Lifecycle IDC Unification is slow in "Step 8/10: Post-Processing: Populate Role Metrics" after… Number of Views Encoding with Datafeeds Explained Number of Views Intermittent failure of AA to post challenge questions. Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process RSA Release Notes for RSA Authentication Manager 8.8 RSA RADIUS Server service failed to start in the RSA Authentication Manager 8.1 Operations Console Microsoft Entra ID External MFA - Relying Party Configuration Using OIDC - RSA Ready Implementation Guide RSA Release Notes: Cloud Access Service and RSA Authenticators
Don't see what you're looking for?
