Re: snort-stat warnings
Hi,
well, it's mir first post on this list. So please don't flame me ;-)
Ok under the docoments of snort is a file called README.http_inspect ,
from which I quote:
Bare byte encoding is an IIS trick that uses non-ASCII chars as valid
values in
decoding UTF-8 values. This is NOT in the HTTP standard, as all non-ASCII
values have to be encoded with a %. Bare byte encoding allows the user to
emulate an IIS server and interpret non-standard encodings correctly.
The alert on this decoding should be enabled, because there are no
legitimate
clients that encoded UTF-8 this way, since it is non-standard.
hope this helps
Bye,
Bjoern aka salacryl
Adam D. Barratt wrote:
Hi,
We're running snort 2.3.3-11 on etch, and for the past few days the
cron.daily job has been generating a number of "Warning, file may be
incomplete" messages.
After a little experimentation, it appears that this is due to
/var/log/snort/alert containing the "header" line for a number of alerts
repeated (either that or the remaining data from the first item being
lost); for example:
[...]
[[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]]
[[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]]
[...]
Does anyone know what causes this, and whether it's anything we need
to be worried about?
Cheers,
Adam
Reply to: