[Snort-devel] http_gunzip preprocessor
william.metcalf at ...2499...
Mon Jan 2 13:42:03 EST 2006
Shouldn't be to hard to write, I would also like to see the preproc
split out the actual payload from the http header stuff. I'll look
into it, I promise nothing as I'm pretty busy these days.
On 1/2/06, Frank Knobbe <frank at ...2134...> wrote:
> the third version of the metasploit for the WMF issue is capable of
> gzipped HTTP responses. Any attack (and I have caught a few in the past)
> that runs over compressed HTTP responses is not detected by Snort.
> While a gunzip implementation in the http_inspect preprocessor is
> certainly harmful to performance, I believe the capability should be
> added nevertheless so that the user may enable it in times when it is
> needed. Currently, with the next, still unpatched WMF exploits using
> compressed HTTP, this capability is absolutely essential. Without it,
> Snort can not compete against other IDS systems that support
> decompression of gzipped HTTP traffic.
> So my question to the developers is: Will Snort receive this capability
> any time soon? Is anyone working on an http_inspect_gunzip preprocessor
> It is said that the Internet is a public utility. As such, it is best
> compared to a sewer. A big, fat pipe with a bunch of crap sloshing
> against your ports.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (FreeBSD)
> -----END PGP SIGNATURE-----
More information about the Snort-devel