[Oisf-users] Gzip compression
Victor Julien
lists at inliniac.net
Mon Feb 27 17:55:04 UTC 2017
On 27-02-17 16:51, Clark Kent wrote:
> I am semi new to the Suricata signature world. In regards to gzip
> content and signatures. Does the http modifers like http_server_body,
> http_response_body, file_data, and etc detect on both compressed and
> decompressed gzip content?
>
> For example if I am content matching on a http page that I don't know if
> it will be gzip compress or not. Can I apply the content modifier
> regardless if the content is compress or not?
> In my lite testing, I noticed that if I have a gzip content it will
> trigger on a signature with either file_data or http_server_body.
> However, if I have the same page not gzip compress, my signatures do not
> trigger. Just want to make sure it not something simple I am over looking.
>
> So does that mean I have to create two signature set so that I account
> for both gzip and nonzip compression? I come from a Snort world and
> regardless of the compression, the file_data modifier works on both.
It should work transparently. If gzip is present it's decompressed, if
you have a plain uncompressed body thats what is used. If you have a
case where it fails I'd love to see a pcap :)
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list