Another question about the inspect_gzip option in Snort 2.8.6

[L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>]

Hello.  I have a simple question about the inspect_gzip option in
Snort 2.8.6.  I am reading in the manual where it says, on page 55 "To
enable compression of HTTP server response, Snort should be configured
with the –enable-zlib flag."  I thought that the inspect_gzip option
just decompressed the gzip data for Snort, not compressed it.  Or is
for in-line Snort where the inspected gzipped data gets gzipped back
up before being passed on?  If so, why not just keep a copy of the
original gzipped data in a separate buffer and forward that instead.
I guess if you did that you'd have to drop the whole gzip buffer up to
max_gzip_mem bytes on an IPS drop event.  Or am I reading too much
into this?

Thanks.

-L0rd Ch0de1m0rt

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs