http_inspect: BARE BYTE UNICODE ENCODING

Identification

Trigger

Microsoft IIS servers are able to use non-ASCII characters as values when decoding UTF-8 values. This is non-standard behavior for a webserver and violates RFC recommendations. All non-ASCII values should be encoded with a %. This event may indicate an attack against a web server or at the least an attempt to evade an IDS.

No web clients encode UTF-8 characters in this way. This is most likely a malicious request.

Affected systems

All Microsoft IIS servers

False positives

None known

Scenario

An attacker merely needs to encode a web request using this non-standard format.

Example

[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]
[Priority: 3]
09/19-15:06:58.142510 192.168.***.**:56316 -> 199.7.**.**:80
TCP TTL:64 TOS:0x8 ID:23457 IpLen:20 DgmLen:167 DF
***AP*** Seq: 0xD1795922  Ack: 0x586A3580  Win: 0x2E  TcpLen: 32
TCP Options (3) => NOP NOP TS: 17108383 4031508274

Corrective actions

• Check the target host for signs of compromise.
• Apply any appropriate vendor supplied patches.