[Oisf-users] Flash Decompression
Giuseppe Longo
lists at glongo.it
Tue Jul 17 08:34:43 UTC 2018
Hello,
On 16/07/2018 14:47, Clark Kent wrote:
> Hello,
>
> I was trying out the new Flash decompression feature in beta.
> Decompressing CWS and making signature on them seems to work fine.
> However, if I try to signature on lzma content I am not having any luck.
>
> Is there anything special that needs to be done to signature on lzma
> compress Flash files? I do have swf decompression on for both types.
>
> swf-decompression:
> enabled: yes
> type: both
> compress-depth: 0
> decompress-depth: 0
>
Configuration is fine. You may need to increase libhtp's limits such as
request/response body limit.
LZMA decompression requires liblzma-dev to be installed on your system,
you can check that running 'suricata --build-info'.
Using decoding events will help you catching something wrong.
If that doesn't help you, please try to share a pcap if possible, even
privately, so I can try to check if there is an issue.
Otherwise, try to paste the first 5 bytes, you should see the 'ZWS'
signature in the first three, then flash version and length.
Regards,
Giuseppe
More information about the Oisf-users
mailing list