[Oisf-users] Gzip compression

Clark Kent ctyk3322 at gmail.com
Mon Feb 27 15:51:18 UTC 2017

I am semi new to the Suricata signature world. In regards to gzip content
and signatures. Does the http modifers like http_server_body,
http_response_body, file_data, and etc detect on both compressed and
decompressed gzip content?

For example if I am content matching on a http page that I don't know if it
will be gzip compress or not. Can I apply the content modifier regardless
if the content is compress or not?
In my lite testing, I noticed that if I have a gzip content it will trigger
on a signature with either file_data or http_server_body. However, if I
have the same page not gzip compress, my signatures do not trigger. Just
want to make sure it not something simple I am over looking.

So does that mean I have to create two signature set so that I account for
both gzip and nonzip compression? I come from a Snort world and regardless
of the compression, the file_data modifier works on both.

Thanks for the help in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170227/4f200a78/attachment.html>

More information about the Oisf-users mailing list