[Oisf-users] Flash Decompression

Giuseppe Longo lists at glongo.it
Tue Jul 17 08:34:43 UTC 2018


On 16/07/2018 14:47, Clark Kent wrote:
> Hello,
> I was trying out the new Flash decompression feature in beta. 
> Decompressing CWS and making signature on them seems to work fine. 
> However, if I try to signature on lzma content I am not having any luck.
> Is there anything special that needs to be done to signature on lzma 
> compress Flash files? I do have swf decompression on for both types.
>             swf-decompression:
>               enabled: yes
>               type: both
>               compress-depth: 0
>               decompress-depth: 0

Configuration is fine. You may need to increase libhtp's limits such as
request/response body limit.
LZMA decompression requires liblzma-dev to be installed on your system,
you can check that running 'suricata --build-info'.
Using decoding events will help you catching something wrong.
If that doesn't help you, please try to share a pcap if possible, even 
privately, so I can try to check if there is an issue.
Otherwise, try to paste the first 5 bytes, you should see the 'ZWS' 
signature in the first three, then flash version and length.


More information about the Oisf-users mailing list