Snort mailing list archives
[GZIP] Gzip inspection isn't working
From: Pablo Artuso <artusopablo () gmail com>
Date: Wed, 13 Aug 2014 08:49:28 -0300
Hi everybody, The reason of this request is to ask for help matching some content in a http response which is compressed with gzip. I have been doing a lot of research (web pages, snort manual, etc) in order to configurate properly the http inspect preproccesor for decompress and analyze gzip, but without any positive result. Here is my http_inspect and stream5 configuration: --------------------------------------------------------------- preprocessor stream5_global: \ track_tcp yes \ track_udp yes preprocessor stream5_tcp: \ policy bsd, \ timeout 86400, \ ports both all preprocessor stream5_udp: \ timeout 86400 --------------------------------------------------------------- preprocessor http_inspect: \ global \ iis_unicode_map unicode.map 1252 \ compress_depth 65535 decompress_depth 65535 \ --------------------------------------------------------------- preprocessor http_inspect_server: \ server default \ profile all \ client_flow_depth 0 \ server_flow_depth 0 \ post_depth 0 \ extended_response_inspection \ inspect_gzip \ normalize_utf \ normalize_headers \ normalize_javascript \ unlimited_decompress \ ports { 80 8080 } --------------------------------------------------------------- When I start snort, the following information is prompt: - Inspect HTTP Responses: YES - Normalize HTTP Headers: YES - Normalize Javascripts in HTTP Responses: YES - Unlimited decompression of gzip data from responses: YES - Extract Gzip from responses: YES The rule I'm trying to match is something like this: -) alert tcp Ip $HttpPorts -> any any ( flow: to_client; file_data; content: "Earphones"; msg: "Earphones"; sid: 5000001; )
From Wireshark, I can see the "Earphones" string inside the packet
decompress payload, but the rule doesn't trigger. Every kind of help will be very appreciate. Thanks very much! Cheers, Pablo PS: I've also seen and tried these links without any luck: - http://blog.snort.org/2012/01/snort-2920-javascript-normalization.html - https://groups.google.com/forum/#!topic/mailing.unix.snort/eZgUhdKTle0 - http://seclists.org/snort/2012/q2/646
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- [GZIP] Gzip inspection isn't working Pablo Artuso (Aug 13)