[Oisf-users] Searching within GZIP Content
Victor Julien
victor at inliniac.net
Wed Jul 4 07:52:18 UTC 2012
On 07/04/2012 08:47 AM, Abhishek Sharma wrote:
> Hi All,
>
> I have been trying to use Suricata to detect keywords within GZIP
> content but havent been able to do so. I was wondering if there are any
> limitations in the detection engine when it comes to Gzip?
>
> Victor, as per "https://redmine.openinfosecfoundation.org/issues/308" I
> believe a bug was earlier raised but now stands resolved. I have tried
> this in version 1.2.1 and 1.3rc1 but still the same issue. I have tried
> the file_data and http_server_body keywords
>
> I am attaching the pcap that I am trying to detect the keyword in. In
> this pcap there is a GZIPPED response from yahoo server in the stream
> "098.136.145.154.00080-010.000.000.002.01445". I am attaching the stream
> as well in its raw form. I am also attaching the unzipped data that I
> ahve extracted using my own parser in another file.
This stream is incomplete, it's missing the TCP setup sequence.
>
> I am trying to search the word "Welcome" in this stream. Can anyone
> please try at their end and see if they are able to extract any data?
> Maybe some config changes I need to do?
>
> Just to mention taht a similar issue is there in snort also despite
> using the file_data keyword, and it has been acknowledged to be a bug.
>
> Now, the second issue is that I am unable to get all alerts for trying
> to find ""/neo/launch?.rand"" keyword in the http_uri. I need to find
> this only in the URI and nowhere else. This should give me the
> "098.136.145.154.00080-010.000.000.002.01445" combination as the result
> but is only giving "10.0.0.2:1605 ->
> 216.115.101.179:80". Why am I not getting a
> match for "098.136.145.154.00080-010.000.000.002.01445"? I have tried
> with http_uri and http_raw_uri but didnt really work. You can refer to
> the same PCAP for this test as well.
>
> Hoping that I am doing something stupid somewhere and this has a very
> simple resolution :)
HTTP inspection runs on top of the stream reassembly which depends on a
proper TCP session.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list