IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BARE BYTE UNICODE ENCODING

From: Nigel Houghton <nigel () sourcefire com>
Date: Mon, 7 Jun 2004 12:09:20 -0400
Cutting to the chase here...

This is not a rule generating the alert, it is coming from 
http_inspect. This is configurable using options in snort.conf. The option
to turn it off is a simple "bare_byte no". I would bet that the generator
id in the actual event is 119:4:1.

Copious amounts of information abou this can be found in the default
snort.conf and doc/README.http_inspect. e.g.

"* bare_byte [yes/no] *
Bare byte encoding is an IIS trick that uses non-ASCII chars as valid
values in decoding UTF-8 values.  This is NOT in the HTTP standard, as all non-ASCII
values have to be encoded with a %.  Bare byte encoding allows the user to
emulate an IIS server and interpret non-standard encodings correctly.

The alert on this decoding should be enabled, because there are no
legitimate clients that encoded UTF-8 this way, since it is non-standard."

-------------------------------------------------------------
Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.

---------------------------------------------------------------------------

---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: