<div dir="ltr"><font color="black" face="Tahoma" size="2"><span style="font-size:10pt" dir="ltr">To restate a little clearer, Flash can be compressed with DEFLATE (Flash files with the
"CWS" header) or LZMA (Flash files with the "ZWS" header). Snort
supports both and
utilizes the zlib and liblzma libraries respectively. I'm not sure what the plan is
for Suricata.<br>
<br>
-Mike Cox</span></font><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 25, 2016 at 8:52 AM, amit zala <span dir="ltr"><<a href="mailto:impmails67@gmail.com" target="_blank">impmails67@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>AFAIK, both pdf and swf use same decompression algorithms.</div><div>So, Are you also writing parser for swf? "OR" based on initial few bytes (zws/fws) you are applying your decompression algorithms?</div><div><br></div><div>I am asking this because, In snort they have file decompression code and they use it for both pdf & swf.</div><div>They parse few bytes in swf to determine which decompression algo is being used.</div><div>In Pdf, with the help of /filter object they determine which decompression algo is used.</div><div><br></div><div>Are we going to do the same thing for suricata?</div><div>OR<br></div><div>Is it just a simple swf decompressor?</div><div><br></div><div>Thanks</div><span class="HOEnZb"><font color="#888888"><div>Amit</div></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 25, 2016 at 6:00 PM, <span dir="ltr"><<a href="mailto:giuseppe@glongo.it" target="_blank">giuseppe@glongo.it</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">Hello,</p><span>
<p dir="ltr">Il 25 Ago 2016 13:42, amit zala <<a href="mailto:impmails67@gmail.com" target="_blank">impmails67@gmail.com</a>> ha scritto:<br>
><br>
> Hi All,<br>
><br>
> Snort has PDF & SWF file parser and they decompress data using zlib/lzma.<br>
> Does suricata have this feature? I went through the suricata-3.0 code but I was not able to find it.<br>
> I think it is an important feature for IPS engine.<br>
> What are your thoughts on it?</p>
</span><p dir="ltr">I've started some time ago to implement swf decompression, but didn't finish yet.</p>
<p dir="ltr">The plan is to merge it soon.</p>
<p dir="ltr">Regards,<br>
Giuseppe <br></p>
</blockquote></div><br></div>
</div></div><br>______________________________<wbr>_________________<br>
Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>participate/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-devel</a><br>
Redmine: <a href="https://redmine.openinfosecfoundation.org/" rel="noreferrer" target="_blank">https://redmine.<wbr>openinfosecfoundation.org/</a><br>
Developer Training in Paris Sept 12-16: <a href="http://suricata-ids.org/training/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>training/</a><br></blockquote></div><br></div></div>