Re: BARE BYTE UNICODE ENCODING
From: Nigel Houghton (nigel_at_sourcefire.com)
Date: 06/07/04
- Previous message: Kliarsky, Adam D.: "RE: IDS deployment on a Cat6500 series & which Snort box?"
- In reply to: Omar Herrera: "RE: BARE BYTE UNICODE ENCODING"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 7 Jun 2004 12:09:20 -0400 To: focus-ids@securityfocus.com
Cutting to the chase here...
This is not a rule generating the alert, it is coming from
http_inspect. This is configurable using options in snort.conf. The option
to turn it off is a simple "bare_byte no". I would bet that the generator
id in the actual event is 119:4:1.
Copious amounts of information abou this can be found in the default
snort.conf and doc/README.http_inspect. e.g.
"* bare_byte [yes/no] *
Bare byte encoding is an IIS trick that uses non-ASCII chars as valid
values in decoding UTF-8 values. This is NOT in the HTTP standard, as all non-ASCII
values have to be encoded with a %. Bare byte encoding allows the user to
emulate an IIS server and interpret non-standard encodings correctly.
The alert on this decoding should be enabled, because there are no
legitimate clients that encoded UTF-8 this way, since it is non-standard."
-------------------------------------------------------------
Nigel Houghton Research Engineer Sourcefire Inc.
Vulnerability Research Team
In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Kliarsky, Adam D.: "RE: IDS deployment on a Cat6500 series & which Snort box?"
- In reply to: Omar Herrera: "RE: BARE BYTE UNICODE ENCODING"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
