This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

BARE BYTE UNICODE ENCODING

I am getting tons of these messages in my intrusion detection log but I see now rule that's firing this. Here is the line from the log:

[ QUOTE ]
[119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING {PROTO006}

[/ QUOTE ]

Any way I can stop this from logging? It's filling up my log space rapidly.

This thread was automatically locked due to age.

0 mcpooh over 20 years ago

That's not triggered by a rule - it's from the Snort http_inspect preprocessor. The message means that a web client uses a non-standard encoding for UTF-8 values. If possible, check the client which causes these alarms.
Cancel
Vote Up 0 Vote Down

Cancel
0 rahuldhiman over 9 years ago in reply to mcpooh

i am new user into signature analysis but what all i should investigate in order to eliminate false positive
like what all i have to check on client
Cancel
Vote Up 0 Vote Down

Cancel
0 Scott_Klassen over 9 years ago

First thing is to check that the client is using a standards based browser andf that it is updated to a recent version.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 rahuldhiman over 9 years ago

i am seeing these events on IDS and all the packets that i see are the ack packets, i am not finding any option to confirm what browser and version of the browser triggered these events.
I tried to generate the same event using old IE and firefox version, but no luck.
Cancel
Vote Up 0 Vote Down

Cancel
0 Scott_Klassen over 9 years ago

There should be IPs in the log lines for this alert. If so, does it show that this is inbound (external IP to Internal IP) or outbound traffic (Internal IP to External IP)? Is this an Ack response from an external web server that one of your internal clients is making a request to or are you hosting a web server?

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 rahuldhiman over 9 years ago in reply to Scott_Klassen

yes.. there are shows that it was an ACK packet and it was outbound traffic and there are several events in some events it's response towards my hosted web servers and in some events where i see traffic towards external servers i see those pages under construction.
can you suggest me some docs which i can refer for fine tuning of the IPS.
Cancel
Vote Up 0 Vote Down

Cancel
0 rahuldhiman over 9 years ago

I just tried with some non standard browser accessing those destinations from my machine but did not get any logs for bare btye signature on IDS.
Cancel
Vote Up 0 Vote Down

Cancel

BARE BYTE UNICODE ENCODING

Submitted a Tech Support Case lately from the Support Portal?