I am just learning Snort so any help will be appreciated. I am seeing many “(http_inspect) BARE BYTE UNICODE ENCODING” alerts popping up in Snort.
Reading the readme.http_inspect tells me the details of what this means. If I’m understanding this correctly, this is the escaped ASCII codes such as “%40”. readme.http_inspect says “there are no legitimate clients that encoded UTF-8 this way.”
I’m finding this hard to believe since we are seeing so many of these both to the ISA server and to the Outlook Web Access server. Doing a web search turns up a large number of questions like I am asking, but I don’t see a good answer as so why so many supposed clean clients would be triggering this and how I can filter out the noise. I find it hard to believe that nearly all of my network clients have hacking tools or viruses on their workstations. I can’t find anything wrong with them. These are Windows 2000 clients with the latest Internet Explorer patches and fully updated Symantec Antivirus.
I’m hoping someone out there can educate me on what should be done about these alerts. I appreciate your help.
