Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Rules » http_inspect) BARE BYTE UNICODE ENCODING

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

http_inspect) BARE BYTE UNICODE ENCODING


Posted by jvhaysx on March 18, 2005 10:35:49

snort.log:Feb 28 16:24:06 lsnort01 snort: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING {TCP}

I've been getting this from Internet addresses going to our DMZ web servers. So far I haven't found a clear explanation of this via Google. Anybody have a good link?

And since it matches a rule, why isn't there more info on the RULES page? (Perhaps it's a category of attacks that's difficult to characterize in detail?) Thanks - Jonathan

Posted by MikeDaGeek on March 20, 2005 10:30:54

Under the DOCs directory you will find a README.http_inspect that will tell you more ... it left me a little dazed and confused ... I'm trying to find out how to reduce the false positives off our SMS server that triggers that rule

Posted by nigel on March 20, 2005 19:22:14

It's not a rule event, it's a pre-processor event. And documents do exist. First look at the README.http_inspect then look in the docs for one named 119-4.txt.

--
Nigel

Posted by tomthebomb007 on April 01, 2005 08:20:17

the 119-4.txt is in docs/signatures/

Posted by kiran_z on December 08, 2005 19:09:32

can any body tell how to pass this rules" (http_inspect) BARE BYTE UNICODE ENCODING {TCP} "
in local.rules

Posted by kiran_z on December 08, 2005 19:15:02

can any body tell how to pass this rules" (http_inspect) BARE BYTE UNICODE ENCODING {TCP} "
in local.rules

Posted by softoxa on May 31, 2006 09:15:18

You can't. This alert is not thrown by a rule, but by the http_inspect preprocessor, which are 2 different things.

Posted by maraida on June 15, 2006 23:10:32

vi /etc/snort/threshold.conf

suppress gen_id 119, sig_id 4 # http_inspect: BARE BYTE UNICODE ENCODING

Posted by lukeBFTH on July 03, 2006 01:36:48

You may also vi /etc/snort/snort.conf and try with preprocessor:

preprocessor http_inspect_server: server default \
profile apache ports {80} oversize_dir_length 500


Works?
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.