IDS mailing list archives
Re: BARE BYTE UNICODE ENCODING
From: Nigel Houghton <nigel () sourcefire com>
Date: Mon, 7 Jun 2004 12:09:20 -0400
Cutting to the chase here... This is not a rule generating the alert, it is coming from http_inspect. This is configurable using options in snort.conf. The option to turn it off is a simple "bare_byte no". I would bet that the generator id in the actual event is 119:4:1. Copious amounts of information abou this can be found in the default snort.conf and doc/README.http_inspect. e.g. "* bare_byte [yes/no] * Bare byte encoding is an IIS trick that uses non-ASCII chars as valid values in decoding UTF-8 values. This is NOT in the HTTP standard, as all non-ASCII values have to be encoded with a %. Bare byte encoding allows the user to emulate an IIS server and interpret non-standard encodings correctly. The alert on this decoding should be enabled, because there are no legitimate clients that encoded UTF-8 this way, since it is non-standard." ------------------------------------------------------------- Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team In an emergency situation involving two or more officers of equal rank, seniority will be granted to whichever officer can program a vcr. --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- BARE BYTE UNICODE ENCODING Annie Green (Jun 01)
- Re: BARE BYTE UNICODE ENCODING Adam Baldwin (Jun 02)
- Network Traffic Flow learning and Simulation Mayank-Bhatnagar (Jun 18)
- RE: BARE BYTE UNICODE ENCODING Omar Herrera (Jun 02)
- Re: BARE BYTE UNICODE ENCODING nick black (Jun 04)
- Re: BARE BYTE UNICODE ENCODING Martin Roesch (Jun 07)
- Re: BARE BYTE UNICODE ENCODING nick black (Jun 07)
- RE: BARE BYTE UNICODE ENCODING Omar Herrera (Jun 07)
- Re: BARE BYTE UNICODE ENCODING Nigel Houghton (Jun 08)
- Re: BARE BYTE UNICODE ENCODING nick black (Jun 04)
- Re: BARE BYTE UNICODE ENCODING Adam Baldwin (Jun 02)
- <Possible follow-ups>
- Re: BARE BYTE UNICODE ENCODING Annie Green (Jun 02)
- Re: BARE BYTE UNICODE ENCODING Adam Baldwin (Jun 02)