[Oisf-devel] http reply with deflate not supported on Suricata ?
Victor Julien
victor at inliniac.net
Mon Jul 8 08:03:15 UTC 2013
On 07/08/2013 09:57 AM, Ivan Ristić wrote:
> On 08/07/2013 08:39, Victor Julien wrote:
>> On 07/06/2013 09:58 PM, rmkml wrote:
>>> Hi,
>>>
>>> Anyone confirm if deflate compression are supported or not on Suricata
>>> please ? (on http reply) or it's planned ?
>>>
>>> libhtp/htp/htp.h : (suricata git 4 jul)
>>> ...
>>> #define COMPRESSION_NONE 0
>>> #define COMPRESSION_GZIP 1
>>> #define COMPRESSION_COMPRESS 2 // Not implemented
>>> #define COMPRESSION_DEFLATE 3 // Not implemented
>>> ...
>>>
>>> Im curious, deflate compression are not implemented on libhtp because
>>> deflate are minor on http compression trafic, or deflate/compress are
>>> complicated implementation please ?
>
> It's just that LibHTP did not support it at that point of time. GZIP and
> DEFLATE are the same compression algorihtm: GZIP = header + DEFLATE.
>
>
>>> If you want, I open a new redmine ticket.
>>
>> Libhtp indeed doesn't support it yet, so Suricata doesn't either. Please
>> open a ticket. Thanks!
>
> Actually, LibHTP does not seem to support it in the old version (0.2.x),
> which Suricata 1.4.x and earlier are using. The current version (0.5.x,
> which Suricata has moved to recently) supports DEFLATE.
>
Ah, that is good news Ivan, thanks. I had a look at the libhtp master
branch, but didn't see the support there. Guess I was confused by the
fact that all the functions have gzip in there name :)
Anyhow, 0.5.x merge will happen soon, so we'll have the deflate support
then.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list