Solved

Can't update website from outside the network. pfSense is blocking

Posted on 2014-10-31
2
486 Views
Last Modified: 2014-11-01
We have a wordpress site that employees can access internally and externally to update their respective information as needed.  We can log in to the site and make updates internally but employees can't do it when they are external.

The site is reachable externally and they can log in to see everything but even if they try to upload any file at all, it just spins and says that the file is uploading but it never leaves the screen that says it's updating.

Interestingly enough, the file transfer actually does complete for some users but they end up getting blocked by pfSense.

I have tried this from home and my PC gets blocked by Snort with this message:
(http_inspect) BARE BYTE UNICODE ENCODING - 10/31/14-15:10:57

On the Snort alerts, my IP is listed like this:
Date                  Pri      Proto      Class                                       Source               SPort           Destination            DPort      SID
10/31/14            3           TCP         Not Suspicious Traffic          <My IP>          53621         <Website IP>            80          119:4
15:10:57      3

Description
(http_inspect) BARE BYTE UNICODE ENCODING

Any direction would be helpful.
0
Comment
Question by:Paul Wagner
2 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40417119
This http alert is discussed in forum and known to be false positive 99% of the time. The best way to deal with it is to add a Suppress List entry so that it no longer alerts and blocks.
Bare byte encoding is an IIS trick that uses non-ASCII chars as valid values in decoding UTF-8 values.  This is NOT in the HTTP standard, as all non-ASCII values have to be encoded with a %.  Bare byte encoding allows the user to emulate an IIS server and interpret
non-standard encodings correctly.

The alert on this decoding should be enabled, because there are no legitimate clients that encoded UTF-8 this way, since it is non-standard.
To add a Suppress Entry, find the alert in the Alerts tab list and click the plus sign (+) beside it in the GID:SID column.  That will auto-add it to the Suppress List.  Restart Snort on the interface and that alert will no longer cause a block.  
e.g. #(http_inspect) BARE BYTE UNICODE ENCODING
suppress gen_id 119, sig_id 4

False positives are normal on any IPS/IDS, this is part and parcel of rule tuning. In this case, if this is not experienced in the past, it is likely after the IPS signature upgrade, the tuning is not done ... Nonethless, good to check other errors too. For info, another common Also is "DOUBLE DECODING ATTACK" alert.
0
 
LVL 5

Author Closing Comment

by:Paul Wagner
ID: 40417165
That was precisely the correct solution. Thanks!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Manage ASA using outside IP 14 62
Access Sonicwall Management Interface from another zone 5 20
Setting up NAT translation for RDP 6 39
CDC and AOG on MS SQL 2012 13 23
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question