cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11830
Views
15
Helpful
2
Replies

BARE BYTE UNICODE ENCODING

Mark^
Level 1
Level 1

I am getting the following alerts and cann't figrue them out:

[119:4:1] http_inspect: BARE BYTE UNICODE ENCODING [Impact: Unknown Target] From "10.x.x.x" at Tue Nov 24 18:48:29 2015 UTC [Classification: Not Suspicious Traffic] [Priority: 3] {tcp} 9.1.0.0:35128 (united states)->20.0.0.0:443 (united states)

Notice the source and destinaion networks -- those are not on my network and not even in any of my public subnets.

This traffic is classified as "not suspicious" however if you get the Rule Documentation of "BARE BYT UNICODE ENCODING" from DC, it tells you that the ease of atack is simple and that there are no known false postives or false negatives.

Mark
2 Replies 2

Aastha Bhardwaj
Cisco Employee
Cisco Employee

Hi,

Bare byte encoding is an IIS trick that uses non-ASCII chars as valid values in decoding

UTF-8 values. This is NOT in the HTTP standard, as all non-ASCII values have to be encoded

with a %. Bare byte encoding allows the user to emulate an IIS server and interpret

non-standard encodings correctly. The alert on this decoding should be enabled, because

there are no legitimate clients that encoded UTF-8 this way, since it is non-standard. In

summary, only IIS servers use this type of encoding, which is not an HTTP standard, and no

client connecting to the server should use this type of encoding.


If you want to leave the feature in place, but not see the large number of events, you can

disable the signature in question in your IPS policy and leave the functionality in place

in the HTTP preprocessor for the Normalize UTF Encodings to UTF-8 option.

For now its priotity-3 which means it is not vulnerable.But you can suppress the events if you want. To check if its false positive or not we would need to check the captures for same.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

That does help explain much of what I was reading in a Google search, however why does it show "{tcp} 9.1.0.0:35128 (united states)->20.0.0.0:443 (united states)" Specifically, why 9.1.0.0 -> 20.0.0.0? I did not sanitize those. I am also getting 65.0.0.0 -> 20.0.0.0. These networks are not connected to my environment.

Mark
Review Cisco Networking for a $25 gift card