[Oisf-users] gzip encoding in payload
Jason Ish
lists at ish.cx
Thu Apr 20 16:43:26 UTC 2017
On 20/04/17 10:37 AM, erik clark wrote:
> I am having a problem with payload_printable and gzip encoded data.
>
> I will see in a fired sig
>
> text
> text
> text
> Connection:keep-alive
> $gzipdata here
>
> The problem is that suricata is reading the gzip data and unpacking it
> (afaict) and alerting on it. Well, I have no way to use the
> payload_printable or payload fields to do analysis, since the raw text
> is gzip'd. Is there a way we can get payload_printable to actually be
> the unzipped content, so we dont always have to fetch data from a full
> pcap solution to do session analysis? Since its a partial gzip string, I
> am not sure if you can even use the packet field to open in wireshark
> and carve out the gzip.
>
> That suri is performing this analysis on gzip http body content is
> great, but not so great in how it handles pushing it into
> payload_printable. Since we already have the unpacked string, it should
> (in theory) be easy to print that, right? Thanks!
I believe there is currently work in progress on this, see:
https://github.com/inliniac/suricata/pull/2663
Jason
More information about the Oisf-users
mailing list