[Oisf-users] Flash Decompression

Clark Kent ctyk3322 at gmail.com
Tue Jul 17 11:42:51 UTC 2018

Hi Giuseppe,

Thank you for the feedback. Good point on the libhtp response. I double
check to make sure my sample was with in the limit response. Also my file
header is marked 'ZWS'. The most likely culprit is not having the
decompression library installed. The --build-info indicates that it is not

On Tue, Jul 17, 2018 at 4:34 AM, Giuseppe Longo <lists at glongo.it> wrote:

> Hello,
> On 16/07/2018 14:47, Clark Kent wrote:
>> Hello,
>> I was trying out the new Flash decompression feature in beta.
>> Decompressing CWS and making signature on them seems to work fine. However,
>> if I try to signature on lzma content I am not having any luck.
>> Is there anything special that needs to be done to signature on lzma
>> compress Flash files? I do have swf decompression on for both types.
>>             swf-decompression:
>>               enabled: yes
>>               type: both
>>               compress-depth: 0
>>               decompress-depth: 0
> Configuration is fine. You may need to increase libhtp's limits such as
> request/response body limit.
> LZMA decompression requires liblzma-dev to be installed on your system,
> you can check that running 'suricata --build-info'.
> Using decoding events will help you catching something wrong.
> If that doesn't help you, please try to share a pcap if possible, even
> privately, so I can try to check if there is an issue.
> Otherwise, try to paste the first 5 bytes, you should see the 'ZWS'
> signature in the first three, then flash version and length.
> Regards,
> Giuseppe
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180717/4b64eb54/attachment.html>

More information about the Oisf-users mailing list