Re: snort-stat warnings

To: debian-security@lists.debian.org
Subject: Re: snort-stat warnings
From: Bjoern Meier <bjoern.meier@googlemail.com>
Date: Wed, 30 Jul 2008 15:07:23 +0200
Message-id: <4890678B.600@googlemail.com>
In-reply-to: <6B0BEC83AC7B4C7D98CD638C0E15D67F@andromeda>
References: <6B0BEC83AC7B4C7D98CD638C0E15D67F@andromeda>

Hi,

well, it's mir first post on this list. So please don't flame me ;-)

Ok under the docoments of snort is a file called README.http_inspect ,from which I quote:

Bare byte encoding is an IIS trick that uses non-ASCII chars as valid

values in

 decoding UTF-8 values. This is NOT in the HTTP standard, as all non-ASCII
 values have to be encoded with a %. Bare byte encoding allows the user to
 emulate an IIS server and interpret non-standard encodings correctly.

The alert on this decoding should be enabled, because there are no

legitimate

 clients that encoded UTF-8 this way, since it is non-standard.


hope this helps

Bye,

Bjoern aka salacryl

Adam D. Barratt wrote:

 Hi,
We're running snort 2.3.3-11 on etch, and for the past few days the

cron.daily job has been generating a number of "Warning, file may beincomplete" messages.

After a little experimentation, it appears that this is due to

/var/log/snort/alert containing the "header" line for a number of alertsrepeated (either that or the remaining data from the first item beinglost); for example:

 [...]
 [[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]]
 [[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]]
 [...]
Does anyone know what causes this, and whether it's anything we need

to be worried about?


 Cheers,

 Adam

Reply to:

References:
- snort-stat warnings
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: Tinydns - cache poisoning?
Next by Date: Michal Feix is out of office
Previous by thread: snort-stat warnings
Next by thread: Michal Feix is out of office
Index(es):
- Date
- Thread