Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15729
Views
30
Helpful
4
Replies

119:15 HI_CLIENT_OVERSIZE_DIR, and all other 119 alerts

bhaskarayani
Level 1
Level 1

‎11-04-2015 01:51 PM

How to tune this signature within the sourcefire? We have so many alerts triggering, whenever there are conenctions iniitiated from inside to outside while accessing any website like Business/News category and many other categories. HTTP inspection is enabled already. 

Also we have too  many alerts for the following

HI_CLIENT_IIS_UNICODE 119:7

HI_CLIENT_BARE_BYTE 119:4

HI_CLIENT_DOUBLE_DECODE 119:2

How we can we surpress them in right way? Best approach to deal with these stuff.

Thanks

1 person had this problem
Labels:
Preview file
17 KB
0 Helpful
4 Replies 4

Aastha Bhardwaj
Cisco Employee
Cisco Employee

‎11-04-2015 04:09 PM

Hi,

They are not indicating an intrusion attempt, but more-so a violation of protocol standards. GID of 119, like these rules have, indicate that itis not a standard rule, but a preprocessor that is triggering these, more specifically, 119 is the HTTP Inspect preprocessor.


> HI_CLIENT_IIS_UNICODE (119:7)     - indicates that a very long URI was used.

> HI_CLIENT_DOUBLE_DECODE (119:2)   - Some characters were encoded twice

> HI_CLIENT_BARE_BYTE (119:4)   - Microsoft IIS servers are able to use non-ASCII characters as values when decoding UTF-8 values. This is non-standard behavior for a webserver and violates RFC recommendations. All non-ASCII values should be encoded with a %. This
event may indicate an attack against a web server or at the least an attempt to evade an IDS. No web clients encode UTF-8 characters in  this way. This is most likely a malicious request.

But you can suppress the events .You can do that based on either source,destination or rule. In this case you can do that based on Rule.

Refer : http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Intrusion-Events.html#pgfId-4185933

Regards,

Aastha Bhardwaj

Rate if that helps!!!

bhaskarayani
Level 1
Level 1
In response to Aastha Bhardwaj

‎12-02-2015 06:17 PM

sorry for the delayed response. This is quite informational. Thank you. 

0 Helpful

rweir0001
Level 1
Level 1
In response to Aastha Bhardwaj

‎04-28-2016 06:17 AM

Aastha,

Would you suggest suppressing these alerts or creating a pass rule? My internal web filter is triggering a lot of these alerts in my IPS as it connects to some outside destinations. I'm sure it is a false-positive and not an indication of an attack. I was thinking of creating pass rules for these alerts when my web filter is the source IP, because I believe suppression will simply drop the packets without any logging at all and I don't like that idea. The only issue I have with the pass rules is that if the rule they were copied from changes it will not affect my pass rule. I wonder if there is a situation where the original rules changes to such a degree that my pass rule doesn't function any longer and then my IPS suddenly begins dropping these packets. That could be very bad for us because the packets dropped would be from our internal users trying to reach sites on the internet.

Thoughts?

0 Helpful

mcvosi
Level 1
Level 1
In response to rweir0001

‎02-24-2017 08:15 AM

I see 119:4's happening to an remote IIS server. My best guess is that a filter rule should be created, allowing known traffic to pass.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card