[Oisf-devel] Suricata and gzip
Victor Julien
victor at inliniac.net
Thu Aug 23 08:20:24 UTC 2012
On 08/21/2012 08:06 PM, Victor Julien wrote:
> On 08/21/2012 04:53 PM, Mike Cox wrote:
>> > It is working for me with file_data and later (latest?) versions of
>> > Suricata. It appears that the file_data keyword is necessary for
>> > inspection of decompressed gzip data. This is good to know although
>> > I'm not sure this is the same for Snort so I'd recommend some clear
>> > documentation. (Although in all fairness, the info is out there in
>> > blog posts and stuff but I had trouble finding it a few months ago and
>> > this is an important feature/ability of Suricata so good documentation
>> > of how to take advantage of it is a good idea IMHO.)
> Yeah, this is different than in Snort. We'll make sure to clearly
> document the way HTTP traffic is inspected in our User Guide.
I've heard that recent Snort (at least 2.9.1.1) works the same way as we do.
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list