[Oisf-users] suri 4 and http response/request bodies
Victor Julien
lists at inliniac.net
Thu Jun 29 18:21:03 UTC 2017
On 29-06-17 18:20, erik clark wrote:
> Are the response and request bodies now gunzip'd? Or are they still gzip
> encoded. I ask because our biggest problem for analysts at the moment is
> processing events where the payload printable is half gzip encoded,
> forcing them to fall back on full pcap solutions.
The feature Eric and Giuseppe added to 4.0rc1 is that the http bodies
are added to the eve log. This is the body after normalization, so
ungzipped or deflated or both.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list