Re: BARE BYTE UNICODE ENCODING

From: Nigel Houghton (nigel_at_sourcefire.com)
Date: 06/07/04

  • Next message: Eric Hines: "RE: Testimonials on IDS"
    Date: Mon, 7 Jun 2004 12:09:20 -0400
    To: focus-ids@securityfocus.com
    
    

    Cutting to the chase here...

    This is not a rule generating the alert, it is coming from
    http_inspect. This is configurable using options in snort.conf. The option
    to turn it off is a simple "bare_byte no". I would bet that the generator
    id in the actual event is 119:4:1.

    Copious amounts of information abou this can be found in the default
    snort.conf and doc/README.http_inspect. e.g.

    "* bare_byte [yes/no] *
    Bare byte encoding is an IIS trick that uses non-ASCII chars as valid
    values in decoding UTF-8 values. This is NOT in the HTTP standard, as all non-ASCII
    values have to be encoded with a %. Bare byte encoding allows the user to
    emulate an IIS server and interpret non-standard encodings correctly.

    The alert on this decoding should be enabled, because there are no
    legitimate clients that encoded UTF-8 this way, since it is non-standard."

    -------------------------------------------------------------
    Nigel Houghton Research Engineer Sourcefire Inc.
                     Vulnerability Research Team

    In an emergency situation involving two or more officers of equal rank,
    seniority will be granted to whichever officer can program a vcr.

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------


  • Next message: Eric Hines: "RE: Testimonials on IDS"