[Oisf-devel] PDF and SWF file decompressor/parser
amit zala
impmails67 at gmail.com
Fri Aug 26 12:47:40 UTC 2016
Hi Edward,
Thanks for the suggestion, but using lua for parsing huge data will be
performance critical.
-
Amit
On Fri, Aug 26, 2016 at 6:11 PM, Edward Fjellskål <
edwardfjellskaal at gmail.com> wrote:
> Have you looked at using the lua option in Suricata?
>
> if so, you might want to take the advantage of:
>
> https://github.com/EmergingThreats/et-luajit-scripts
>
> E
>
>
> On 08/26/2016 01:37 PM, Mike Cox wrote:
> > To restate a little clearer, Flash can be compressed with DEFLATE (Flash
> > files with the "CWS" header) or LZMA (Flash files with the "ZWS"
> > header). Snort supports both and utilizes the zlib and liblzma
> > libraries respectively. I'm not sure what the plan is for Suricata.
> >
> > -Mike Cox
> >
> > On Thu, Aug 25, 2016 at 8:52 AM, amit zala <impmails67 at gmail.com
> > <mailto:impmails67 at gmail.com>> wrote:
> >
> > Hi,
> >
> > AFAIK, both pdf and swf use same decompression algorithms.
> > So, Are you also writing parser for swf? "OR" based on initial few
> > bytes (zws/fws) you are applying your decompression algorithms?
> >
> > I am asking this because, In snort they have file decompression code
> > and they use it for both pdf & swf.
> > They parse few bytes in swf to determine which decompression algo is
> > being used.
> > In Pdf, with the help of /filter object they determine which
> > decompression algo is used.
> >
> > Are we going to do the same thing for suricata?
> > OR
> > Is it just a simple swf decompressor?
> >
> > Thanks
> > Amit
> >
> > On Thu, Aug 25, 2016 at 6:00 PM, <giuseppe at glongo.it
> > <mailto:giuseppe at glongo.it>> wrote:
> >
> > Hello,
> >
> > Il 25 Ago 2016 13:42, amit zala <impmails67 at gmail.com
> > <mailto:impmails67 at gmail.com>> ha scritto:
> > >
> > > Hi All,
> > >
> > > Snort has PDF & SWF file parser and they decompress data using
> zlib/lzma.
> > > Does suricata have this feature? I went through the
> suricata-3.0 code but I was not able to find it.
> > > I think it is an important feature for IPS engine.
> > > What are your thoughts on it?
> >
> > I've started some time ago to implement swf decompression, but
> > didn't finish yet.
> >
> > The plan is to merge it soon.
> >
> > Regards,
> > Giuseppe
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Devel mailing list:
> > oisf-devel at openinfosecfoundation.org
> > <mailto:oisf-devel at openinfosecfoundation.org>
> > Site: http://suricata-ids.org | Participate:
> > http://suricata-ids.org/participate/
> > <http://suricata-ids.org/participate/>
> > List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> > <https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> >
> > Redmine: https://redmine.openinfosecfoundation.org/
> > <https://redmine.openinfosecfoundation.org/>
> > Developer Training in Paris Sept 12-16:
> > http://suricata-ids.org/training/ <http://suricata-ids.org/training/
> >
> >
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Participate: http://suricata-ids.org/
> participate/
> > List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-devel
> > Redmine: https://redmine.openinfosecfoundation.org/
> > Developer Training in Paris Sept 12-16: http://suricata-ids.org/
> training/
> >
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/
> participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
> Developer Training in Paris Sept 12-16: http://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20160826/c4ffe035/attachment-0002.html>
More information about the Oisf-devel
mailing list