After removing some of the obvious alerts, one of the remaining alerts is the (http_inspect) BARE BYTE UNICODE ENCODING. The snort documentation[19] describes this as follows:
"bare byte encoding is an iis trick that uses non-ascii chars as valid values in decoding utf-8 values. this is not in the http standard, as all non-ascii values have to be encoded with a %. bare byte encoding allows the user to emulate an iis server and interpret non-standard encodings correctly."
Looking at this traffic in ASCII3.4 yields only gibberish for the entire payload. Possibly, this traffic is not Web traffic (although targeting port 80), but some kind of tunneled traffic. We do not think the traffic is encrypted because encrypted HTTP traffic would use port 443, not port 80. To find the reason for the scrambled payloads, we tried to correlate this traffic with the other traffic these machines generate. This was unfortunately not very successful. Looking at the events, it turned out that all the machines were incredibly active and there was no obvious correlation with other types of traffic. We were not able to uncover what this traffic really represents. It could be tunneled traffic, a false positive of the snort preprocessor, be non-HTTP traffic. In Section 3.53.5 we will revisit this traffic and see that there are some very interesting anomalies in this traffic (changing TTLs for the same connection, etc).