<div dir="ltr">Hi Edward,<div><br></div><div>Thanks for the suggestion, but using lua for parsing huge data will be performance critical.</div><div><br></div><div>-</div><div>Amit</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Aug 26, 2016 at 6:11 PM, Edward Fjellskål <span dir="ltr"><<a href="mailto:edwardfjellskaal@gmail.com" target="_blank">edwardfjellskaal@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Have you looked at using the lua option in Suricata?<br>
<br>
if so, you might want to take the advantage of:<br>
<br>
<a href="https://github.com/EmergingThreats/et-luajit-scripts" rel="noreferrer" target="_blank">https://github.com/<wbr>EmergingThreats/et-luajit-<wbr>scripts</a><br>
<br>
E<br>
<span class=""><br>
<br>
On 08/26/2016 01:37 PM, Mike Cox wrote:<br>
> To restate a little clearer, Flash can be compressed with DEFLATE (Flash<br>
> files with the "CWS" header) or LZMA (Flash files with the "ZWS"<br>
> header).  Snort supports both and utilizes the zlib and liblzma<br>
> libraries respectively.  I'm not sure what the plan is for Suricata.<br>
><br>
> -Mike Cox<br>
><br>
> On Thu, Aug 25, 2016 at 8:52 AM, amit zala <<a href="mailto:impmails67@gmail.com">impmails67@gmail.com</a><br>
</span><span class="">> <mailto:<a href="mailto:impmails67@gmail.com">impmails67@gmail.com</a>>> wrote:<br>
><br>
>     Hi,<br>
><br>
>     AFAIK, both pdf and swf use same decompression algorithms.<br>
>     So, Are you also writing parser for swf? "OR" based on initial few<br>
>     bytes (zws/fws) you are applying your decompression algorithms?<br>
><br>
>     I am asking this because, In snort they have file decompression code<br>
>     and they use it for both pdf & swf.<br>
>     They parse few bytes in swf to determine which decompression algo is<br>
>     being used.<br>
>     In Pdf, with the help of /filter object they determine which<br>
>     decompression algo is used.<br>
><br>
>     Are we going to do the same thing for suricata?<br>
>     OR<br>
>     Is it just a simple swf decompressor?<br>
><br>
>     Thanks<br>
>     Amit<br>
><br>
>     On Thu, Aug 25, 2016 at 6:00 PM, <<a href="mailto:giuseppe@glongo.it">giuseppe@glongo.it</a><br>
</span><span class="">>     <mailto:<a href="mailto:giuseppe@glongo.it">giuseppe@glongo.it</a>>> wrote:<br>
><br>
>         Hello,<br>
><br>
>         Il 25 Ago 2016 13:42, amit zala <<a href="mailto:impmails67@gmail.com">impmails67@gmail.com</a><br>
</span>>         <mailto:<a href="mailto:impmails67@gmail.com">impmails67@gmail.com</a>>> ha scritto:<br>
<span class="">>         ><br>
>         > Hi All,<br>
>         ><br>
>         > Snort has PDF & SWF file parser and they decompress data using zlib/lzma.<br>
>         > Does suricata have this feature? I went through the suricata-3.0 code but I was not able to find it.<br>
>         > I think it is an important feature for IPS engine.<br>
>         > What are your thoughts on it?<br>
><br>
>         I've started some time ago to implement swf decompression, but<br>
>         didn't finish yet.<br>
><br>
>         The plan is to merge it soon.<br>
><br>
>         Regards,<br>
>         Giuseppe<br>
><br>
><br>
><br>
>     ______________________________<wbr>_________________<br>
>     Suricata IDS Devel mailing list:<br>
>     <a href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@<wbr>openinfosecfoundation.org</a><br>
</span>>     <mailto:<a href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@<wbr>openinfosecfoundation.org</a>><br>
<span class="">>     Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Participate:<br>
>     <a href="http://suricata-ids.org/participate/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>participate/</a><br>
>     <<a href="http://suricata-ids.org/participate/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>participate/</a>><br>
>     List:<br>
>     <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-devel</a><br>
>     <<a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-devel</a>><br>
>     Redmine: <a href="https://redmine.openinfosecfoundation.org/" rel="noreferrer" target="_blank">https://redmine.<wbr>openinfosecfoundation.org/</a><br>
>     <<a href="https://redmine.openinfosecfoundation.org/" rel="noreferrer" target="_blank">https://redmine.<wbr>openinfosecfoundation.org/</a>><br>
>     Developer Training in Paris Sept 12-16:<br>
</span>>     <a href="http://suricata-ids.org/training/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>training/</a> <<a href="http://suricata-ids.org/training/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>training/</a>><br>
<div class="HOEnZb"><div class="h5">><br>
><br>
><br>
><br>
> ______________________________<wbr>_________________<br>
> Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@<wbr>openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>participate/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-devel</a><br>
> Redmine: <a href="https://redmine.openinfosecfoundation.org/" rel="noreferrer" target="_blank">https://redmine.<wbr>openinfosecfoundation.org/</a><br>
> Developer Training in Paris Sept 12-16: <a href="http://suricata-ids.org/training/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>training/</a><br>
><br>
______________________________<wbr>_________________<br>
Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>participate/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-devel</a><br>
Redmine: <a href="https://redmine.openinfosecfoundation.org/" rel="noreferrer" target="_blank">https://redmine.<wbr>openinfosecfoundation.org/</a><br>
Developer Training in Paris Sept 12-16: <a href="http://suricata-ids.org/training/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>training/</a></div></div></blockquote></div><br></div>