[Oisf-devel] Suricata and gzip
Victor Julien
victor at inliniac.net
Tue Aug 21 18:06:56 UTC 2012
On 08/21/2012 04:53 PM, Mike Cox wrote:
> It is working for me with file_data and later (latest?) versions of
> Suricata. It appears that the file_data keyword is necessary for
> inspection of decompressed gzip data. This is good to know although
> I'm not sure this is the same for Snort so I'd recommend some clear
> documentation. (Although in all fairness, the info is out there in
> blog posts and stuff but I had trouble finding it a few months ago and
> this is an important feature/ability of Suricata so good documentation
> of how to take advantage of it is a good idea IMHO.)
Yeah, this is different than in Snort. We'll make sure to clearly
document the way HTTP traffic is inspected in our User Guide.
Thanks,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list