Snort mailing list archives
Re: Snort 2.8.6-beta and gzip encoding
From: Alex Kirk <akirk () sourcefire com>
Date: Tue, 19 Jan 2010 15:51:47 -0500
I spent this morning testing this myself, and it appears that some bugs remain in the gzip code - both in regards to stream reassembly and return codes from zlib that indicate success, but in different ways. I've filed some internal bugs here, and hopefully fixes will be forthcoming reasonably soon. For now, though, I wouldn't expect a great deal of success with gzip decompression. On Thu, Jan 14, 2010 at 7:52 AM, <luismanuel.carril () usc es> wrote:
Hi I have been trying to use the new gzip feature to detect words in the HTTP body response, but I am unable to detect anything. I have compiled Snort with --enable-zlib and at the conf file I have configured the http_inspect_server in this way: preporcessor http_inspect_server: server default \ profile all ports {80 8080 8180} oversize_dir_length 500 server_flow_depth 1460 extended_response_inspection inspect_gzip compress_depth 1460 decompress_depth 20480 Has someone had success with this? Thanks in advance Luis M. ------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.8.6-beta and gzip encoding luismanuel . carril (Jan 14)
- Re: Snort 2.8.6-beta and gzip encoding Alex Kirk (Jan 19)