[Oisf-devel] PDF and SWF file decompressor/parser

amit zala impmails67 at gmail.com
Thu Aug 25 12:52:09 UTC 2016


AFAIK, both pdf and swf use same decompression algorithms.
So, Are you also writing parser for swf? "OR" based on initial few bytes
(zws/fws) you are applying your decompression algorithms?

I am asking this because, In snort they have file decompression code and
they use it for both pdf & swf.
They parse few bytes in swf to determine which decompression algo is being
In Pdf, with the help of /filter object they determine which decompression
algo is used.

Are we going to do the same thing for suricata?
Is it just a simple swf decompressor?


On Thu, Aug 25, 2016 at 6:00 PM, <giuseppe at glongo.it> wrote:

> Hello,
> Il 25 Ago 2016 13:42, amit zala <impmails67 at gmail.com> ha scritto:
> >
> > Hi All,
> >
> > Snort has PDF & SWF file parser and they decompress data using zlib/lzma.
> > Does suricata have this feature? I went through the suricata-3.0 code
> but I was not able to find it.
> > I think it is an important feature for IPS engine.
> > What are your thoughts on it?
> I've started some time ago to implement swf decompression, but didn't
> finish yet.
> The plan is to merge it soon.
> Regards,
> Giuseppe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20160825/2b7f3b87/attachment-0005.html>

More information about the Oisf-devel mailing list