General discussion

Locked

Snort http_inspect

By mm212 ·
I am just learning Snort so any help will be appreciated. I am seeing many "(http_inspect) BARE BYTE UNICODE ENCODING" alerts popping up in Snort.

Reading the readme.http_inspect tells me the details of what this means. If I'm understanding this correctly, this is the escaped ASCII codes such as "%40". readme.http_inspect says "there are no legitimate clients that encoded UTF-8 this way."

I'm finding this hard to believe since we are seeing so many of these both to the ISA server and to the Outlook Web Access server. Doing a web search turns up a large number of questions like I am asking, but I don't see a good answer as so why so many supposed clean clients would be triggering this and how I can filter out the noise. I find it hard to believe that nearly all of my network clients have hacking tools or viruses on their workstations. I can't find anything wrong with them. These are Windows 2000 clients with the latest Internet Explorer patches and fully updated Symantec Antivirus.

I'm hoping someone out there can educate me on what should be done about these alerts. I appreciate your help.

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by Jaqui In reply to Snort http_inspect

Snort is right there is no utf-8 encoding that looks like that.
the encoding that looks like that is ISO8895-1
which is the default for most webservers.
tell snort to use iso8895-1 for a primary encoding.

Collapse -

by mm212 In reply to

While this answer does sound logical to me as I'm new to Snort, I believe it is incorrect. I found out that the profile I am using is the correct profile. The problem is that one thing is triggering these alerts. I can edit the snort.conf file to read:

preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
bare_byte no \

to filter out all the bare_byte alerts.

Collapse -

by mm212 In reply to Snort http_inspect

Your explanation sounds right. I am looking, but I can't find where to do this. I'll add another 1000 points if you can tell me where and how I make this change. I am new to Snort and like most things, it may take a while for me to be familiar where everything is. Thanks!

Collapse -

by Curacao_Dejavu In reply to Snort http_inspect

First make sure that you have the lastest snort version, as there is an issue with false positves.

qoute (from snort.org.
"Snort 2.2.0 Final Released Brian @ Wed Aug 11 20:59:46 2004 GMT
Hello, Snorters!

Thanks for testing out the Release Candidate, a good number of bugs were squashed for the Final release. To that end, we're pleased to announce the availability of 2.2.0 Final. The following items list what has changed from RC1->Final. Please check it out and let us know what you think!

* Updated database schema diagram from Chris Reid. Schema can be found in ./doc/snort_schema_v106.pdf
* Added --include-pcre* configuration option to help cross compiling. Thanks Erik de Castro Lopo.
* Fixed thresholding/suppression issue with queuing multiple events per packet. Thanks Andreas Ostling.
* When a rebuilt stream causes an alert, log out the original packets instead of the rebuilt packet. Thanks sekure@gmail.com for the report.
* Turned off http_inspect alerts that were causing false positives in the preset webserver profiles (Thanks Dan Roelker).
* Turn off encoding alerts in HTTP parameter field. The parameter field is still normalized, it just doesn't alert. This helps reduce alerts that are generated from complex parameter queries (Thanks Dan Roelker).
* Fixed memory leak in "fast" output. Thanks for your bug report sekure@gmail.com.
* Clear error code which under Windows was causing a subsequent false failure in parsing threshold rules. (Thanks to Rich Adamson)

Further details can be found in Changelog and RELEASE.NOTES.

Thanks!
The Snort Team"


and of course check with the support forum of snort themself.

else check this.
http://archives.neohapsis.com/archives/snort/2001-07/0755.html


Leopold

Collapse -

by mm212 In reply to

I am using version 2.3. According to your post, version 2.2 fixed the problem. Regarding your link, I am new to Snort. All the technical details don't help me in the slightest as I am not familiar with them.

Collapse -

by mm212 In reply to Snort http_inspect

This question was closed by the author

Back to Security Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums