[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: snort-stat warnings


well, it's mir first post on this list. So please don't flame me ;-)

Ok under the docoments of snort is a file called README.http_inspect , from which I quote:

Bare byte encoding is an IIS trick that uses non-ASCII chars as valid
values in
 decoding UTF-8 values. This is NOT in the HTTP standard, as all non-ASCII
 values have to be encoded with a %. Bare byte encoding allows the user to
 emulate an IIS server and interpret non-standard encodings correctly.

The alert on this decoding should be enabled, because there are no
 clients that encoded UTF-8 this way, since it is non-standard.

hope this helps


Bjoern aka salacryl

Adam D. Barratt wrote:

We're running snort 2.3.3-11 on etch, and for the past few days the
cron.daily job has been generating a number of "Warning, file may be incomplete" messages.

After a little experimentation, it appears that this is due to
/var/log/snort/alert containing the "header" line for a number of alerts repeated (either that or the remaining data from the first item being lost); for example:

 [[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]]
 [[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]]

Does anyone know what causes this, and whether it's anything we need
to be worried about?



Reply to: