[Oisf-users] Searching within GZIP Content

Victor Julien victor at inliniac.net
Wed Jul 4 07:52:18 UTC 2012

On 07/04/2012 08:47 AM, Abhishek Sharma wrote:
> Hi All,
> I have been trying to use Suricata to detect keywords within GZIP
> content but havent been able to do so. I was wondering if there are any
> limitations in the detection engine when it comes to Gzip?
> Victor, as per "https://redmine.openinfosecfoundation.org/issues/308" I
> believe a bug was earlier raised but now stands resolved. I have tried
> this in version 1.2.1 and 1.3rc1 but still the same issue. I have tried
> the file_data and http_server_body keywords
> I am attaching the pcap that I am trying to detect the keyword in. In
> this pcap there is a GZIPPED response from yahoo server in the stream
> "". I am attaching the stream
> as well in its raw form. I am also attaching the unzipped data that I
> ahve extracted using my own parser in another file.

This stream is incomplete, it's missing the TCP setup sequence.

> I am trying to search the word "Welcome" in this stream. Can anyone
> please try at their end and see if they are able to extract any data?
> Maybe some config changes I need to do?
> Just to mention taht a similar issue is there in snort also despite
> using the file_data keyword, and it has been acknowledged to be a bug.
> Now, the second issue is that I am unable to get all alerts for trying
> to find ""/neo/launch?.rand"" keyword in the http_uri. I need to find
> this only in the URI and nowhere else. This should give me the
> "" combination as the result
> but is only giving " ->
>". Why am I not getting a
> match for ""? I have tried
> with http_uri and http_raw_uri but didnt really work. You can refer to
> the same PCAP for this test as well.
> Hoping that I am doing something stupid somewhere and this has a very
> simple resolution :)

HTTP inspection runs on top of the stream reassembly which depends on a
proper TCP session.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list