Too many snort alerts - 119:4 BARE BYTE UNICODE ENCODING

pfua

Hi All,
I need some help with snort
I have just instaled it to my PFsense and noticed that 99% of alerts are "119:4 BARE BYTE UNICODE ENCODING"

I have read up some info (https://www.snort.org/rule_docs/119-4) about this sid but still not shure what to do as I dont have any Microsoft IIS server behind pfsense.

Extra info:
PFsense: 2.2.6
Snort 2.9.7.6 pkg v3.2.9.1
Snort is applied to WAN interfase.
Snort GPLv2 Community Rules (VRT certified)

TDJ211

Yea most of the 119 and 120 rules are false positives. You need to just disable them.

Check out the Snort/Suricata Blueprint thread, there's a TON of rules you can disable to clear up your alert logs

Noisette

Hello, is there a list with all GID: SID false positives?
Thank's

bmeeks

@Noisette:

Hello, is there a list with all GID: SID false positives?
Thank's

@TDJ211 gave you the answer already – so a search here with the IDS/IPS forum looking for the term "Blueprint" and a long thread shoud pop up.  You can also search for "Suppress List" in the same forum and should get a number of hits with threads related to user suggestions for setting up a Suppress List and which rules are prone to false-positive.

Bill

Noisette

Thank you for your reply. I thought there was a ready-made list. Apparently all 119 and 120 are false positives.

NogBadTheBad

Here's what I disabled after monitoring for a while :-

HI_CLIENT_DOUBLE_DECODE	119:2
HI_CLIENT_BARE_BYTE	119:4
HI_CLIENT_IIS_UNICODE	119:7
HI_CLIENT_UNKNOWN_METHOD	119:31
HI_CLIENT_SIMPLE_REQUEST	119:32
HI_CLIENT_UNESCAPED_SPACE_IN_URI	119:33
HI_SERVER_NO_CONTLEN	120:3
HI_CLISRV_MSG_SIZE_EXCEPTION	120:8
SSL_INVALID_CLIENT_HELLO	137:1
SSL_INVALID_SERVER_HELLO	137:2

bmeeks

@Noisette:

Thank you for your reply. I thought there was a ready-made list. Apparently all 119 and 120 are false positives.

If you search for the threads I referenced and then browse through them, you fill find a number of posts similar to @NogBadTheBad's post containing code you can copy and paste into your own list.  There is no place to just go download a ready-made file.  That's because suppressing alerts and tuning an IDS/IPS is network-specific.  Some users need rules that others do not depending on the types of "normal" traffic on their network.

I keep repeating this mantra for the benefit of new IDS/IPS users – "using an IDS/IPS such as Snort or Suricata is not like installing an anti-virus client.  You can't just install, enable all the rules and live happily ever after.  If you do that, you will in fact live in constant frustration dealing with nuisance blocks.  Spend some time reading the posts on this forum and browsing the "school of Google" to learn about tuning an IDS/IPS.

Bill