[Oisf-devel] PDF and SWF file decompressor/parser
Mike Cox
mike.cox52 at gmail.com
Fri Aug 26 11:37:05 UTC 2016
To restate a little clearer, Flash can be compressed with DEFLATE (Flash
files with the "CWS" header) or LZMA (Flash files with the "ZWS" header).
Snort supports both and utilizes the zlib and liblzma libraries
respectively. I'm not sure what the plan is for Suricata.
-Mike Cox
On Thu, Aug 25, 2016 at 8:52 AM, amit zala <impmails67 at gmail.com> wrote:
> Hi,
>
> AFAIK, both pdf and swf use same decompression algorithms.
> So, Are you also writing parser for swf? "OR" based on initial few bytes
> (zws/fws) you are applying your decompression algorithms?
>
> I am asking this because, In snort they have file decompression code and
> they use it for both pdf & swf.
> They parse few bytes in swf to determine which decompression algo is being
> used.
> In Pdf, with the help of /filter object they determine which decompression
> algo is used.
>
> Are we going to do the same thing for suricata?
> OR
> Is it just a simple swf decompressor?
>
> Thanks
> Amit
>
> On Thu, Aug 25, 2016 at 6:00 PM, <giuseppe at glongo.it> wrote:
>
>> Hello,
>>
>> Il 25 Ago 2016 13:42, amit zala <impmails67 at gmail.com> ha scritto:
>> >
>> > Hi All,
>> >
>> > Snort has PDF & SWF file parser and they decompress data using
>> zlib/lzma.
>> > Does suricata have this feature? I went through the suricata-3.0 code
>> but I was not able to find it.
>> > I think it is an important feature for IPS engine.
>> > What are your thoughts on it?
>>
>> I've started some time ago to implement swf decompression, but didn't
>> finish yet.
>>
>> The plan is to merge it soon.
>>
>> Regards,
>> Giuseppe
>>
>
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/
> participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
> Developer Training in Paris Sept 12-16: http://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20160826/4b0457f0/attachment-0002.html>
More information about the Oisf-devel
mailing list