Snort mailing list archives

Previous By Date Next
Previous By Thread Next

[GZIP] Gzip inspection isn't working

From: Pablo Artuso <artusopablo () gmail com>
Date: Wed, 13 Aug 2014 08:49:28 -0300
Hi everybody,
The reason of this request is to ask for help matching some content in a
http response which is compressed with gzip.
I have been doing a lot of research (web pages, snort manual, etc) in order
to configurate properly the http inspect preproccesor for decompress and
analyze gzip, but without any positive result.

Here is my http_inspect and stream5 configuration:

    ---------------------------------------------------------------
    preprocessor stream5_global: \
      track_tcp yes \
      track_udp yes
    preprocessor stream5_tcp: \
      policy bsd, \
      timeout 86400, \
      ports both all
    preprocessor stream5_udp: \
      timeout 86400

    ---------------------------------------------------------------
    preprocessor http_inspect: \
      global \
      iis_unicode_map unicode.map 1252 \
      compress_depth 65535 decompress_depth 65535 \
    ---------------------------------------------------------------
    preprocessor http_inspect_server: \
      server default \
      profile all \
      client_flow_depth 0 \
      server_flow_depth 0 \
      post_depth 0 \
      extended_response_inspection \
      inspect_gzip \
      normalize_utf \
      normalize_headers \
      normalize_javascript \
      unlimited_decompress \
      ports { 80 8080 }
      ---------------------------------------------------------------

When I start snort, the following information is prompt:
    - Inspect HTTP Responses: YES
    - Normalize HTTP Headers: YES
    - Normalize Javascripts in HTTP Responses: YES
    - Unlimited decompression of gzip data from responses: YES
    - Extract Gzip from responses: YES

The rule I'm trying to match is something like this:
    -) alert tcp Ip $HttpPorts -> any any ( flow: to_client; file_data;
content: "Earphones"; msg: "Earphones"; sid: 5000001; )



From Wireshark, I can see the "Earphones" string inside the packet

decompress payload, but the rule doesn't trigger.




Every kind of help will be very appreciate.
Thanks very much!
Cheers,
Pablo

PS: I've also seen and tried these links without any luck:
            -
http://blog.snort.org/2012/01/snort-2920-javascript-normalization.html
            -
https://groups.google.com/forum/#!topic/mailing.unix.snort/eZgUhdKTle0
            - http://seclists.org/snort/2012/q2/646

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: