http_inspect ?'s

[John Hally <JHally () epnet com>]

Hello All,

 

I've been playing around with the http_inspect preprocessor and let it go
over night with what I think is a pretty vanilla setup:

 

preprocessor http_inspect: global iis_unicode_map unicode.map 1252
detect_anomalous_servers

 

preprocessor http_inspect_server: server default profile all ports { 80 }

 

 

I now have a huge amount of alerts for Double Decoding Attack, Bare Byte
Unicode encoding, and to a lesser extent, IIS Unicode Codepoint Encoding.

 

I've looked through a good amount of these and the actual traffic seems to
be legit.  Is it possible that the application we have running on a farm of
IIS servers is using these abnormal encodes/decodes, or am I potentially
missing something?

 

 

Thanks in advance.

 

John.