[Oisf-users] gzip encoding in payload

erik clark philosnef at gmail.com
Thu Apr 20 16:37:11 UTC 2017

I am having a problem with payload_printable and gzip encoded data.

I will see in a fired sig

$gzipdata here

The problem is that suricata is reading the gzip data and unpacking it
(afaict) and alerting on it. Well, I have no way to use the
payload_printable or payload fields to do analysis, since the raw text is
gzip'd. Is there a way we can get payload_printable to actually be the
unzipped content, so we dont always have to fetch data from a full pcap
solution to do session analysis? Since its a partial gzip string, I am not
sure if you can even use the packet field to open in wireshark and carve
out the gzip.

That suri is performing this analysis on gzip http body content is great,
but not so great in how it handles pushing it into payload_printable. Since
we already have the unpacked string, it should (in theory) be easy to print
that, right? Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170420/185f33b8/attachment.html>

More information about the Oisf-users mailing list