Snort mailing list archives
Another question about the inspect_gzip option in Snort 2.8.6
From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Date: Tue, 18 May 2010 12:26:04 -0500
Hello. I have a simple question about the inspect_gzip option in Snort 2.8.6. I am reading in the manual where it says, on page 55 "To enable compression of HTTP server response, Snort should be configured with the –enable-zlib flag." I thought that the inspect_gzip option just decompressed the gzip data for Snort, not compressed it. Or is for in-line Snort where the inspected gzipped data gets gzipped back up before being passed on? If so, why not just keep a copy of the original gzipped data in a separate buffer and forward that instead. I guess if you did that you'd have to drop the whole gzip buffer up to max_gzip_mem bytes on an IPS drop event. Or am I reading too much into this? Thanks. -L0rd Ch0de1m0rt ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Another question about the inspect_gzip option in Snort 2.8.6 L0rd Ch0de1m0rt (May 18)
- Re: Another question about the inspect_gzip option in Snort 2.8.6 Bhagya Bantwal (May 18)
- Re: Another question about the inspect_gzip option in Snort 2.8.6 L0rd Ch0de1m0rt (May 18)
- Re: Another question about the inspect_gzip option in Snort 2.8.6 Bhagya Bantwal (May 18)
- Re: Another question about the inspect_gzip option in Snort 2.8.6 L0rd Ch0de1m0rt (May 18)
- Re: Another question about the inspect_gzip option in Snort 2.8.6 Bhagya Bantwal (May 18)