[Snort-devel] http_gunzip preprocessor

Will Metcalf william.metcalf at ...2499...
Mon Jan 2 13:42:03 EST 2006

Shouldn't be to hard to write, I would also like to see the preproc
split out the actual payload from the http header stuff.  I'll look
into it, I promise nothing as I'm pretty busy these days.



On 1/2/06, Frank Knobbe <frank at ...2134...> wrote:
> Greetings,
> the third version of the metasploit for the WMF issue is capable of
> gzipped HTTP responses. Any attack (and I have caught a few in the past)
> that runs over compressed HTTP responses is not detected by Snort.
> While a gunzip implementation in the http_inspect preprocessor is
> certainly harmful to performance, I believe the capability should be
> added nevertheless so that the user may enable it in times when it is
> needed. Currently, with the next, still unpatched WMF exploits using
> compressed HTTP, this capability is absolutely essential. Without it,
> Snort can not compete against other IDS systems that support
> decompression of gzipped HTTP traffic.
> So my question to the developers is: Will Snort receive this capability
> any time soon? Is anyone working on an http_inspect_gunzip preprocessor
> yet?
> Regards,
> Frank
> --
> It is said that the Internet is a public utility. As such, it is best
> compared to a sewer. A big, fat pipe with a bunch of crap sloshing
> against your ports.
> Version: GnuPG v1.4.2 (FreeBSD)
> iD8DBQBDuTobGr6G9pK6fXURAvH9AJ9fvqPwuZ7F4llrUn0i0/OixbkvCgCdFemN
> r6FRGeev0HcnktkHflBHyTQ=
> =U+ue

More information about the Snort-devel mailing list