Solved

Can't update website from outside the network. pfSense is blocking

Posted on 2014-10-31
2
481 Views
Last Modified: 2014-11-01
We have a wordpress site that employees can access internally and externally to update their respective information as needed.  We can log in to the site and make updates internally but employees can't do it when they are external.

The site is reachable externally and they can log in to see everything but even if they try to upload any file at all, it just spins and says that the file is uploading but it never leaves the screen that says it's updating.

Interestingly enough, the file transfer actually does complete for some users but they end up getting blocked by pfSense.

I have tried this from home and my PC gets blocked by Snort with this message:
(http_inspect) BARE BYTE UNICODE ENCODING - 10/31/14-15:10:57

On the Snort alerts, my IP is listed like this:
Date                  Pri      Proto      Class                                       Source               SPort           Destination            DPort      SID
10/31/14            3           TCP         Not Suspicious Traffic          <My IP>          53621         <Website IP>            80          119:4
15:10:57      3

Description
(http_inspect) BARE BYTE UNICODE ENCODING

Any direction would be helpful.
0
Comment
Question by:Paul Wagner
2 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40417119
This http alert is discussed in forum and known to be false positive 99% of the time. The best way to deal with it is to add a Suppress List entry so that it no longer alerts and blocks.
Bare byte encoding is an IIS trick that uses non-ASCII chars as valid values in decoding UTF-8 values.  This is NOT in the HTTP standard, as all non-ASCII values have to be encoded with a %.  Bare byte encoding allows the user to emulate an IIS server and interpret
non-standard encodings correctly.

The alert on this decoding should be enabled, because there are no legitimate clients that encoded UTF-8 this way, since it is non-standard.
To add a Suppress Entry, find the alert in the Alerts tab list and click the plus sign (+) beside it in the GID:SID column.  That will auto-add it to the Suppress List.  Restart Snort on the interface and that alert will no longer cause a block.  
e.g. #(http_inspect) BARE BYTE UNICODE ENCODING
suppress gen_id 119, sig_id 4

False positives are normal on any IPS/IDS, this is part and parcel of rule tuning. In this case, if this is not experienced in the past, it is likely after the IPS signature upgrade, the tuning is not done ... Nonethless, good to check other errors too. For info, another common Also is "DOUBLE DECODING ATTACK" alert.
0
 
LVL 4

Author Closing Comment

by:Paul Wagner
ID: 40417165
That was precisely the correct solution. Thanks!
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Routing between two networks? 10 50
Expanding Subnet Mask 20 104
Cisco ASA 3 25
Admin account lockout 10 36
Ensuring effective and secure communication in the age of healthcare BYOD.
One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now