Re: how to write rule to match content in http responce gzip encoding?

[waldo kitty <wkitty42 () windstream net>]

On 12/13/2012 12:57, Mitesh Jadia wrote:
> Hello,
>
> I am writing one rule like
>   content:"ABC";nocase;msg:....
>
> http response is in gzip encoding and I have enabled ZLIB while configuring
> snort. Also http_inspect preprocessor configuration is set to
> extended_response_inspection. But this rule is not getting matched.
>
> Please show me proper way.

post the rule that you have as it is... you may be close or you may be a world 
away... we cannot tell without seeing the rule...

there are several ways to do things and one answer is not always /the/ only 
answer...

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!