Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11768
Views
15
Helpful
2
Replies

BARE BYTE UNICODE ENCODING

Mark^
Level 1
Level 1

‎11-24-2015 11:03 AM - edited ‎03-12-2019 05:49 AM

I am getting the following alerts and cann't figrue them out:

[119:4:1] http_inspect: BARE BYTE UNICODE ENCODING [Impact: Unknown Target] From "10.x.x.x" at Tue Nov 24 18:48:29 2015 UTC [Classification: Not Suspicious Traffic] [Priority: 3] {tcp} 9.1.0.0:35128 (united states)->20.0.0.0:443 (united states)

Notice the source and destinaion networks -- those are not on my network and not even in any of my public subnets.

This traffic is classified as "not suspicious" however if you get the Rule Documentation of "BARE BYT UNICODE ENCODING" from DC, it tells you that the ease of atack is simple and that there are no known false postives or false negatives.

Mark
2 people had this problem
Labels:
0 Helpful
2 Replies 2

Aastha Bhardwaj
Cisco Employee
Cisco Employee

‎11-24-2015 11:34 AM

Hi,

Bare byte encoding is an IIS trick that uses non-ASCII chars as valid values in decoding

UTF-8 values. This is NOT in the HTTP standard, as all non-ASCII values have to be encoded

with a %. Bare byte encoding allows the user to emulate an IIS server and interpret

non-standard encodings correctly. The alert on this decoding should be enabled, because

there are no legitimate clients that encoded UTF-8 this way, since it is non-standard. In

summary, only IIS servers use this type of encoding, which is not an HTTP standard, and no

client connecting to the server should use this type of encoding.


If you want to leave the feature in place, but not see the large number of events, you can

disable the signature in question in your IPS policy and leave the functionality in place

in the HTTP preprocessor for the Normalize UTF Encodings to UTF-8 option.

For now its priotity-3 which means it is not vulnerable.But you can suppress the events if you want. To check if its false positive or not we would need to check the captures for same.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Mark^
Level 1
Level 1
In response to Aastha Bhardwaj

‎11-24-2015 11:38 AM

That does help explain much of what I was reading in a Google search, however why does it show "{tcp} 9.1.0.0:35128 (united states)->20.0.0.0:443 (united states)" Specifically, why 9.1.0.0 -> 20.0.0.0? I did not sanitize those. I am also getting 65.0.0.0 -> 20.0.0.0. These networks are not connected to my environment.

Mark
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card