[Oisf-devel] PDF and SWF file decompressor/parser

Edward Fjellskål edwardfjellskaal at gmail.com
Fri Aug 26 12:41:03 UTC 2016 

Have you looked at using the lua option in Suricata?

if so, you might want to take the advantage of:

https://github.com/EmergingThreats/et-luajit-scripts

E


On 08/26/2016 01:37 PM, Mike Cox wrote:
> To restate a little clearer, Flash can be compressed with DEFLATE (Flash
> files with the "CWS" header) or LZMA (Flash files with the "ZWS"
> header).  Snort supports both and utilizes the zlib and liblzma
> libraries respectively.  I'm not sure what the plan is for Suricata.
> 
> -Mike Cox
> 
> On Thu, Aug 25, 2016 at 8:52 AM, amit zala <impmails67 at gmail.com
> <mailto:impmails67 at gmail.com>> wrote:
> 
>     Hi,
> 
>     AFAIK, both pdf and swf use same decompression algorithms.
>     So, Are you also writing parser for swf? "OR" based on initial few
>     bytes (zws/fws) you are applying your decompression algorithms?
> 
>     I am asking this because, In snort they have file decompression code
>     and they use it for both pdf & swf.
>     They parse few bytes in swf to determine which decompression algo is
>     being used.
>     In Pdf, with the help of /filter object they determine which
>     decompression algo is used.
> 
>     Are we going to do the same thing for suricata?
>     OR
>     Is it just a simple swf decompressor?
> 
>     Thanks
>     Amit
> 
>     On Thu, Aug 25, 2016 at 6:00 PM, <giuseppe at glongo.it
>     <mailto:giuseppe at glongo.it>> wrote:
> 
>         Hello,
> 
>         Il 25 Ago 2016 13:42, amit zala <impmails67 at gmail.com
>         <mailto:impmails67 at gmail.com>> ha scritto:
>         >
>         > Hi All,
>         >
>         > Snort has PDF & SWF file parser and they decompress data using zlib/lzma.
>         > Does suricata have this feature? I went through the suricata-3.0 code but I was not able to find it.
>         > I think it is an important feature for IPS engine.
>         > What are your thoughts on it?
> 
>         I've started some time ago to implement swf decompression, but
>         didn't finish yet.
> 
>         The plan is to merge it soon.
> 
>         Regards,
>         Giuseppe
> 
> 
> 
>     _______________________________________________
>     Suricata IDS Devel mailing list:
>     oisf-devel at openinfosecfoundation.org
>     <mailto:oisf-devel at openinfosecfoundation.org>
>     Site: http://suricata-ids.org | Participate:
>     http://suricata-ids.org/participate/
>     <http://suricata-ids.org/participate/>
>     List:
>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>     <https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel>
>     Redmine: https://redmine.openinfosecfoundation.org/
>     <https://redmine.openinfosecfoundation.org/>
>     Developer Training in Paris Sept 12-16:
>     http://suricata-ids.org/training/ <http://suricata-ids.org/training/>
> 
> 
> 
> 
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
> Developer Training in Paris Sept 12-16: http://suricata-ids.org/training/
>

More information about the Oisf-devel mailing list