This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bare Byte Unicode Encoding alerts since update to 6.203

Hi,

I've been getting a whole lot of alerts since the update to 6.203 was applied on an ASL 6.202. Snort http_inspect is giving me "Bare Byte Unicode Encoding {PROTO006}" alerts since the update. The source ip is always the external interface address on the ASL. The destination ip (after doing some Whois lookup) is often :
- 212.126.210.98 (ORG-tG2-RIPE - in Karlsruhe, Germany)
- 206.253.225.X (ISS - Internet Security Systems in Atlanta) ??

These alerts are displayed through Syslog each time a web page is requested, independently of the clients requesting it (Firefox, IE, Opera..).

Is this related to the fact that since v 6.203, the Surf Protection can update itself via tcp port 80 (instead of only with tcp port 6000) ?

Anyone have seen these in their logs lately?
Is this normal and why ISS is one of the destination ?

Regards,

F.T

This thread was automatically locked due to age.

0 BrucekConvergent over 19 years ago

I've noticed them at numerous customer sites.. we monitor all of them with ARM, and the alerts were driving us nuts, so we disabled the alerting system for that one IPS-4 ID. I've started a support ticket with Astaro on this, hopefully they'll patch this bug soon.

As to why one of the servers is on the ISS network.. well, ISS owns Cobion now.. that's one of their Cobion DB servers.
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 19 years ago in reply to BrucekConvergent

I've gotten a response back from Astaro.. they confirm the bug, hopefully they'll have more info for me tomorrow!
Cancel
Vote Up 0 Vote Down

Cancel
0 Stealth over 19 years ago in reply to BrucekConvergent

Thanks for your response BrucekConvergent.
Glad to know that it's a known bug now at Astaro.
Could these alerts (even if they're not direct alerts, but more preprocessor related) be considered as False Positive then ?

You're right about Cobion.
I found out later that ISS was the owner by going to cobion.com..
Couldn't be clearer : On 14 January 2004, Cobion AG became a part of the Internet Security Systems, Inc. family of companies.
Should have known that, oh well...

Thanks again.
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 19 years ago in reply to Stealth

Yes, I'd consider these false positives.. not really affecting operation, except for us, since we monitor several devices for several customers, the false alarms were a little more than annoying.
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 19 years ago in reply to BrucekConvergent

Small update: They asked me to send them a tcpdump with the offending traffic in it.. they've got and are working on it now.
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 19 years ago in reply to BrucekConvergent

OK, it's been confirmed, they say they'll have a fix for it in the next Up2Date.
Cancel
Vote Up 0 Vote Down

Cancel
0 Stealth over 19 years ago in reply to BrucekConvergent

Thanks for the update BrucekConvergent.
Your feedback was appreciated.

Regards
Cancel
Vote Up 0 Vote Down

Cancel