Solved

Can't update website from outside the network. pfSense is blocking

Posted on 2014-10-31
2
490 Views
Last Modified: 2014-11-01
We have a wordpress site that employees can access internally and externally to update their respective information as needed.  We can log in to the site and make updates internally but employees can't do it when they are external.

The site is reachable externally and they can log in to see everything but even if they try to upload any file at all, it just spins and says that the file is uploading but it never leaves the screen that says it's updating.

Interestingly enough, the file transfer actually does complete for some users but they end up getting blocked by pfSense.

I have tried this from home and my PC gets blocked by Snort with this message:
(http_inspect) BARE BYTE UNICODE ENCODING - 10/31/14-15:10:57

On the Snort alerts, my IP is listed like this:
Date                  Pri      Proto      Class                                       Source               SPort           Destination            DPort      SID
10/31/14            3           TCP         Not Suspicious Traffic          <My IP>          53621         <Website IP>            80          119:4
15:10:57      3

Description
(http_inspect) BARE BYTE UNICODE ENCODING

Any direction would be helpful.
0
Comment
Question by:Paul Wagner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40417119
This http alert is discussed in forum and known to be false positive 99% of the time. The best way to deal with it is to add a Suppress List entry so that it no longer alerts and blocks.
Bare byte encoding is an IIS trick that uses non-ASCII chars as valid values in decoding UTF-8 values.  This is NOT in the HTTP standard, as all non-ASCII values have to be encoded with a %.  Bare byte encoding allows the user to emulate an IIS server and interpret
non-standard encodings correctly.

The alert on this decoding should be enabled, because there are no legitimate clients that encoded UTF-8 this way, since it is non-standard.
To add a Suppress Entry, find the alert in the Alerts tab list and click the plus sign (+) beside it in the GID:SID column.  That will auto-add it to the Suppress List.  Restart Snort on the interface and that alert will no longer cause a block.  
e.g. #(http_inspect) BARE BYTE UNICODE ENCODING
suppress gen_id 119, sig_id 4

False positives are normal on any IPS/IDS, this is part and parcel of rule tuning. In this case, if this is not experienced in the past, it is likely after the IPS signature upgrade, the tuning is not done ... Nonethless, good to check other errors too. For info, another common Also is "DOUBLE DECODING ATTACK" alert.
0
 
LVL 5

Author Closing Comment

by:Paul Wagner
ID: 40417165
That was precisely the correct solution. Thanks!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question