Snort mailing list archives
Re: http content-encoding: gzip
From: Dave Rutherford <dave () evilpettingzoo com>
Date: Sat, 14 Nov 2009 11:44:50 -0500
On Sat, Nov 14, 2009 at 08:28, Adam Szabo <adamx001 () gmail com> wrote:
Do you know how to 'decrypt' a TCP packet with gzip content-encoding in the payload? For example if i visit google.com, Snort captures a TCP packet with this in the payload:length = 1418 000 : 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK.
[...]
100 : 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 33 ontent-Length: 3 110 : 31 31 37 0D 0A 58 2D 58 53 53 2D 50 72 6F 74 65 117..X-XSS-Prote 120 : 63 74 69 6F 6E 3A 20 30 0D 0A 0D 0A 1F 8B 08 00 ction: 0........ 130 : 00 00 00 00 02 FF E5 5A DD 6E DB 38 16 7E 15 4E .......Z.n.8.~.N 140 : 83 41 52 C0 56 64 3B 71 1C BB CD 60 7F 66 3B C0 .AR.Vd;q...` f;. 150 : 60 E7 66 BA D8 8B ED A2 A0 24 CA 62 4D FD 54 A4 `.f......$.bM.T.
Strip out all the bytes corresponding to the headers. Here that's everything up to and including the 0D 0A 0D 0A on line 120. Then delete the first and last columns so you have only the hex bytes remaining. Reformat at one "byte" per line, so it looks like this: 1F 8B 08 00 00 00 00 00 02 FF E5 5A DD 6E DB ... etc. Let's call this file tmp.hex. Using bash, $ while read w; do echo $((0x$w)); done < tmp.hex | awk '{ printf "%c", $1; }' | zcat I won't spoil your surprise at what you've captured, here, but this method certainly does decode it. Regards, Dave ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- http content-encoding: gzip Adam Szabo (Nov 14)
- Re: http content-encoding: gzip Dave Rutherford (Nov 14)
- Re: http content-encoding: gzip Richard Bejtlich (Nov 14)
- Re: http content-encoding: gzip Adam Szabo (Nov 14)