[Oisf-users] gzip encoding in payload

Jason Ish lists at ish.cx
Thu Apr 20 16:43:26 UTC 2017

On 20/04/17 10:37 AM, erik clark wrote:
> I am having a problem with payload_printable and gzip encoded data.
> I will see in a fired sig
> text
> text
> text
> Connection:keep-alive
> $gzipdata here
> The problem is that suricata is reading the gzip data and unpacking it 
> (afaict) and alerting on it. Well, I have no way to use the 
> payload_printable or payload fields to do analysis, since the raw text 
> is gzip'd. Is there a way we can get payload_printable to actually be 
> the unzipped content, so we dont always have to fetch data from a full 
> pcap solution to do session analysis? Since its a partial gzip string, I 
> am not sure if you can even use the packet field to open in wireshark 
> and carve out the gzip.
> That suri is performing this analysis on gzip http body content is 
> great, but not so great in how it handles pushing it into 
> payload_printable. Since we already have the unpacked string, it should 
> (in theory) be easy to print that, right? Thanks!

I believe there is currently work in progress on this, see:



More information about the Oisf-users mailing list