Solved

Can't update website from outside the network. pfSense is blocking

Posted on 2014-10-31
2
501 Views
Last Modified: 2014-11-01
We have a wordpress site that employees can access internally and externally to update their respective information as needed.  We can log in to the site and make updates internally but employees can't do it when they are external.

The site is reachable externally and they can log in to see everything but even if they try to upload any file at all, it just spins and says that the file is uploading but it never leaves the screen that says it's updating.

Interestingly enough, the file transfer actually does complete for some users but they end up getting blocked by pfSense.

I have tried this from home and my PC gets blocked by Snort with this message:
(http_inspect) BARE BYTE UNICODE ENCODING - 10/31/14-15:10:57

On the Snort alerts, my IP is listed like this:
Date                  Pri      Proto      Class                                       Source               SPort           Destination            DPort      SID
10/31/14            3           TCP         Not Suspicious Traffic          <My IP>          53621         <Website IP>            80          119:4
15:10:57      3

Description
(http_inspect) BARE BYTE UNICODE ENCODING

Any direction would be helpful.
0
Comment
Question by:Paul Wagner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40417119
This http alert is discussed in forum and known to be false positive 99% of the time. The best way to deal with it is to add a Suppress List entry so that it no longer alerts and blocks.
Bare byte encoding is an IIS trick that uses non-ASCII chars as valid values in decoding UTF-8 values.  This is NOT in the HTTP standard, as all non-ASCII values have to be encoded with a %.  Bare byte encoding allows the user to emulate an IIS server and interpret
non-standard encodings correctly.

The alert on this decoding should be enabled, because there are no legitimate clients that encoded UTF-8 this way, since it is non-standard.
To add a Suppress Entry, find the alert in the Alerts tab list and click the plus sign (+) beside it in the GID:SID column.  That will auto-add it to the Suppress List.  Restart Snort on the interface and that alert will no longer cause a block.  
e.g. #(http_inspect) BARE BYTE UNICODE ENCODING
suppress gen_id 119, sig_id 4

False positives are normal on any IPS/IDS, this is part and parcel of rule tuning. In this case, if this is not experienced in the past, it is likely after the IPS signature upgrade, the tuning is not done ... Nonethless, good to check other errors too. For info, another common Also is "DOUBLE DECODING ATTACK" alert.
0
 
LVL 5

Author Closing Comment

by:Paul Wagner
ID: 40417165
That was precisely the correct solution. Thanks!
0

Featured Post

Enroll in July's Course of the Month

July's Course of the Month is now available! Enroll to learn HTML5 and prepare for certification. It's free for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Here's a look at newsworthy articles and community happenings during the last month.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question