[Oisf-users] Gzip compression

Victor Julien lists at inliniac.net
Mon Feb 27 17:55:04 UTC 2017

On 27-02-17 16:51, Clark Kent wrote:
> I am semi new to the Suricata signature world. In regards to gzip
> content and signatures. Does the http modifers like http_server_body,
> http_response_body, file_data, and etc detect on both compressed and
> decompressed gzip content?
> For example if I am content matching on a http page that I don't know if
> it will be gzip compress or not. Can I apply the content modifier
> regardless if the content is compress or not?
> In my lite testing, I noticed that if I have a gzip content it will
> trigger on a signature with either file_data or http_server_body.
> However, if I have the same page not gzip compress, my signatures do not
> trigger. Just want to make sure it not something simple I am over looking.
> So does that mean I have to create two signature set so that I account
> for both gzip and nonzip compression? I come from a Snort world and
> regardless of the compression, the file_data modifier works on both.

It should work transparently. If gzip is present it's decompressed, if
you have a plain uncompressed body thats what is used. If you have a
case where it fails I'd love to see a pcap :)

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list