Snort mailing list archives
Re: http content-encoding: gzip
From: Adam Szabo <adamx001 () gmail com>
Date: Sat, 14 Nov 2009 19:15:41 +0100
Thank you a lot both! Adam Szabo On Sat, Nov 14, 2009 at 7:03 PM, Richard Bejtlich <taosecurity () gmail com>wrote:
On Sat, Nov 14, 2009 at 8:28 AM, Adam Szabo <adamx001 () gmail com> wrote:Hello, Do you know how to 'decrypt' a TCP packet with gzip content-encoding inthepayload?Wireshark and Tshark will do this for you automatically. For example, I visited www.google.com and captured the traffic with Wireshark. Tshark renders a gzip-encoded response as gzip-encoded, then decoded. Reassembled TCP (4138 bytes): 0000 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK. 0010 0a 45 78 70 69 72 65 73 3a 20 53 61 74 2c 20 31 .Expires: Sat, 1 0020 33 20 4e 6f 76 20 32 30 31 30 20 30 30 3a 30 30 3 Nov 2010 00:00 0030 3a 30 30 20 47 4d 54 0d 0a 4c 61 73 74 2d 4d 6f :00 GMT..Last-Mo 0040 64 69 66 69 65 64 3a 20 53 61 74 2c 20 31 35 20 dified: Sat, 15 0050 4e 6f 76 20 32 30 30 38 20 30 30 3a 30 30 3a 30 Nov 2008 00:00:0 0060 30 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 0 GMT..Content-T 0070 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 ype: text/html; 0080 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 charset=UTF-8..C 0090 6f 6e 74 65 6e 74 2d 45 6e 63 6f 64 69 6e 67 3a ontent-Encoding: 00a0 20 67 7a 69 70 0d 0a 44 61 74 65 3a 20 53 61 74 gzip..Date: Sat 00b0 2c 20 31 34 20 4e 6f 76 20 32 30 30 39 20 31 37 , 14 Nov 2009 17 00c0 3a 35 35 3a 34 33 20 47 4d 54 0d 0a 53 65 72 76 :55:43 GMT..Serv 00d0 65 72 3a 20 67 77 73 0d 0a 43 61 63 68 65 2d 43 er: gws..Cache-C 00e0 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c ontrol: private, 00f0 20 78 2d 67 7a 69 70 2d 6f 6b 3d 22 22 0d 0a 43 x-gzip-ok=""..C 0100 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 33 ontent-Length: 3 0110 38 33 38 0d 0a 58 2d 58 53 53 2d 50 72 6f 74 65 838..X-XSS-Prote 0120 63 74 69 6f 6e 3a 20 30 0d 0a 0d 0a 1f 8b 08 00 ction: 0........ 0130 00 00 00 00 02 ff e5 5a 0b 8f e3 b8 91 fe 2b dc .......Z......+. 0140 69 2c 7a 26 b0 65 c9 76 db 6e 7b 67 16 49 76 33 i,z&.e.v.n{g.Iv3 0150 39 e0 12 2c 32 83 3b 1c 6e 0f 03 4a a2 2c cd 48 9..,2.;.n..J.,.H 0160 a2 46 a4 da dd 63 f8 bf a7 8a 0f 89 92 e5 7e 2c .F...c........~, 0170 92 43 80 a0 d1 32 45 91 55 1f eb c5 2a 4a 77 b4 .C...2E.U...*Jw. ...truncated... Uncompressed entity body (13577 bytes): 0000 76 61 72 20 6a 65 20 3d 20 67 6f 6f 67 6c 65 2e var je = google. 0010 6a 3b 76 61 72 20 64 72 20 3d 20 30 3b 76 61 72 j;var dr = 0;var 0020 20 66 70 20 3d 20 27 38 61 34 66 35 32 38 37 36 fp = '8a4f52876 0030 35 65 39 32 30 63 31 27 3b 76 61 72 20 5f 6c 6f 5e920c1';var _lo 0040 63 20 3d 20 27 27 3b 76 61 72 20 5f 73 73 20 3d c = '';var _ss = 0050 20 30 3b 6a 65 2e 61 63 28 7b 63 73 73 3a 27 5c 0;je.ac({css:'\ 0060 78 33 63 73 74 79 6c 65 5c 78 33 65 62 6f 64 79 x3cstyle\x3ebody 0070 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 {background:#fff 0080 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 6d 61 72 67 ;color:#000;marg 0090 69 6e 3a 33 70 78 20 38 70 78 7d 23 67 62 61 72 in:3px 8px}#gbar 00a0 7b 66 6c 6f 61 74 3a 6c 65 66 74 3b 68 65 69 67 {float:left;heig 00b0 68 74 3a 32 32 70 78 7d 2e 67 62 68 2c 2e 67 62 ht:22px}.gbh,.gb 00c0 64 7b 62 6f 72 64 65 72 2d 74 6f 70 3a 31 70 78 d{border-top:1px 00d0 20 73 6f 6c 69 64 20 23 63 39 64 37 66 31 3b 66 solid #c9d7f1;f 00e0 6f 6e 74 2d 73 69 7a 65 3a 31 70 78 7d 2e 67 62 ont-size:1px}.gb 00f0 68 7b 68 65 69 67 68 74 3a 30 3b 70 6f 73 69 74 h{height:0;posit 0100 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 ion:absolute;top 0110 3a 32 34 70 78 3b 77 69 64 74 68 3a 31 30 30 25 :24px;width:100% 0120 7d 23 67 62 69 2c 23 67 62 67 2c 23 67 62 73 2c }#gbi,#gbg,#gbs, 0130 23 67 62 6d 7b 62 61 63 6b 67 72 6f 75 6e 64 3a #gbm{background: 0140 23 66 66 66 3b 6c 65 66 74 3a 30 3b 70 6f 73 69 #fff;left:0;posi 0150 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 65 tion:absolute;te Sincerely, Richard
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- http content-encoding: gzip Adam Szabo (Nov 14)
- Re: http content-encoding: gzip Dave Rutherford (Nov 14)
- Re: http content-encoding: gzip Richard Bejtlich (Nov 14)
- Re: http content-encoding: gzip Adam Szabo (Nov 14)