Snort mailing list archives
Re: Another question about the inspect_gzip option in Snort 2.8.6
From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Date: Tue, 18 May 2010 14:27:13 -0500
Yes, this makes sense. Thank you Bhagyaa. So then should the manual read "To enable decompression of HTTP server response...."? -L0rd Ch0de1m0rt On Tue, May 18, 2010 at 1:23 PM, Bhagya Bantwal <bbantwal () sourcefire com> wrote:
inspect_gzip will just decompress the compressed data and store it in a different buffer. No compression in case of inline mode. So since we don't overwrite the packet payload with decompressed data we dont need to compress the data again. max_gzip_mem (as mentioned in the manual) along with decompress and compress depths determines the maximum number of http sessions (with gzipped data) to decompress. This is an optimization option. We dont want the system to run out of memory trying to decompress all the compressed data. Hope that helps. -B On Tue, May 18, 2010 at 1:26 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:Hello. I have a simple question about the inspect_gzip option in Snort 2.8.6. I am reading in the manual where it says, on page 55 "To enable compression of HTTP server response, Snort should be configured with the –enable-zlib flag." I thought that the inspect_gzip option just decompressed the gzip data for Snort, not compressed it. Or is for in-line Snort where the inspected gzipped data gets gzipped back up before being passed on? If so, why not just keep a copy of the original gzipped data in a separate buffer and forward that instead. I guess if you did that you'd have to drop the whole gzip buffer up to max_gzip_mem bytes on an IPS drop event. Or am I reading too much into this? Thanks. -L0rd Ch0de1m0rt ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Another question about the inspect_gzip option in Snort 2.8.6 L0rd Ch0de1m0rt (May 18)
- Re: Another question about the inspect_gzip option in Snort 2.8.6 Bhagya Bantwal (May 18)
- Re: Another question about the inspect_gzip option in Snort 2.8.6 L0rd Ch0de1m0rt (May 18)
- Re: Another question about the inspect_gzip option in Snort 2.8.6 Bhagya Bantwal (May 18)
- Re: Another question about the inspect_gzip option in Snort 2.8.6 L0rd Ch0de1m0rt (May 18)
- Re: Another question about the inspect_gzip option in Snort 2.8.6 Bhagya Bantwal (May 18)