Snort mailing list archives

Re: http content-encoding: gzip

From: Dave Rutherford <dave () evilpettingzoo com>
Date: Sat, 14 Nov 2009 11:44:50 -0500

On Sat, Nov 14, 2009 at 08:28, Adam Szabo <adamx001 () gmail com> wrote:

Do you know how to 'decrypt' a TCP packet with gzip content-encoding in the
payload?
For example if i visit google.com, Snort captures a TCP packet with this in
the payload:

length = 1418

000 : 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D   HTTP/1.1 200 OK.

[...]

100 : 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 33   ontent-Length: 3
110 : 31 31 37 0D 0A 58 2D 58 53 53 2D 50 72 6F 74 65   117..X-XSS-Prote
120 : 63 74 69 6F 6E 3A 20 30 0D 0A 0D 0A 1F 8B 08 00   ction: 0........

130 : 00 00 00 00 02 FF E5 5A DD 6E DB 38 16 7E 15 4E   .......Z.n.8.~.N
140 : 83 41 52 C0 56 64 3B 71 1C BB CD 60 7F 66 3B C0   .AR.Vd;q...` f;.
150 : 60 E7 66 BA D8 8B ED A2 A0 24 CA 62 4D FD 54 A4   `.f......$.bM.T.


Strip out all the bytes corresponding to the headers. Here that's everything
up to and including the 0D 0A 0D 0A on line 120. Then delete the first and last
columns so you have only the hex bytes remaining. Reformat at one "byte"
per line, so it looks like this:

1F
8B
08
00
00
00
00
00
02
FF
E5
5A
DD
6E
DB
... etc.

Let's call this file tmp.hex.  Using bash,

$ while read w; do echo $((0x$w)); done < tmp.hex |
    awk '{ printf "%c", $1; }' |
    zcat

I won't spoil your surprise at what you've captured, here, but
this method certainly does decode it.

Regards,
   Dave

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

http content-encoding: gzip Adam Szabo (Nov 14)
- Re: http content-encoding: gzip Dave Rutherford (Nov 14)
- Re: http content-encoding: gzip Richard Bejtlich (Nov 14)
  - Re: http content-encoding: gzip Adam Szabo (Nov 14)