Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Can't update website from outside the network. pfSense is blocking

Posted on 2014-10-31
2
Medium Priority
?
504 Views
Last Modified: 2014-11-01
We have a wordpress site that employees can access internally and externally to update their respective information as needed.  We can log in to the site and make updates internally but employees can't do it when they are external.

The site is reachable externally and they can log in to see everything but even if they try to upload any file at all, it just spins and says that the file is uploading but it never leaves the screen that says it's updating.

Interestingly enough, the file transfer actually does complete for some users but they end up getting blocked by pfSense.

I have tried this from home and my PC gets blocked by Snort with this message:
(http_inspect) BARE BYTE UNICODE ENCODING - 10/31/14-15:10:57

On the Snort alerts, my IP is listed like this:
Date                  Pri      Proto      Class                                       Source               SPort           Destination            DPort      SID
10/31/14            3           TCP         Not Suspicious Traffic          <My IP>          53621         <Website IP>            80          119:4
15:10:57      3

Description
(http_inspect) BARE BYTE UNICODE ENCODING

Any direction would be helpful.
0
Comment
Question by:Paul Wagner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 40417119
This http alert is discussed in forum and known to be false positive 99% of the time. The best way to deal with it is to add a Suppress List entry so that it no longer alerts and blocks.
Bare byte encoding is an IIS trick that uses non-ASCII chars as valid values in decoding UTF-8 values.  This is NOT in the HTTP standard, as all non-ASCII values have to be encoded with a %.  Bare byte encoding allows the user to emulate an IIS server and interpret
non-standard encodings correctly.

The alert on this decoding should be enabled, because there are no legitimate clients that encoded UTF-8 this way, since it is non-standard.
To add a Suppress Entry, find the alert in the Alerts tab list and click the plus sign (+) beside it in the GID:SID column.  That will auto-add it to the Suppress List.  Restart Snort on the interface and that alert will no longer cause a block.  
e.g. #(http_inspect) BARE BYTE UNICODE ENCODING
suppress gen_id 119, sig_id 4

False positives are normal on any IPS/IDS, this is part and parcel of rule tuning. In this case, if this is not experienced in the past, it is likely after the IPS signature upgrade, the tuning is not done ... Nonethless, good to check other errors too. For info, another common Also is "DOUBLE DECODING ATTACK" alert.
0
 
LVL 5

Author Closing Comment

by:Paul Wagner
ID: 40417165
That was precisely the correct solution. Thanks!
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question