[Snort-devel] http_gunzip preprocessor

Frank Knobbe frank at ...2134...
Mon Jan 2 06:36:01 EST 2006


Greetings,

the third version of the metasploit for the WMF issue is capable of
gzipped HTTP responses. Any attack (and I have caught a few in the past)
that runs over compressed HTTP responses is not detected by Snort.

While a gunzip implementation in the http_inspect preprocessor is
certainly harmful to performance, I believe the capability should be
added nevertheless so that the user may enable it in times when it is
needed. Currently, with the next, still unpatched WMF exploits using
compressed HTTP, this capability is absolutely essential. Without it,
Snort can not compete against other IDS systems that support
decompression of gzipped HTTP traffic.

So my question to the developers is: Will Snort receive this capability
any time soon? Is anyone working on an http_inspect_gunzip preprocessor
yet? 

Regards,
Frank


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20060102/22c6a6a3/attachment.sig>


More information about the Snort-devel mailing list