[Snort-devel] http_gunzip preprocessor

Marc Norton mnorton at ...402...
Tue Jan 3 11:05:01 EST 2006

Chris Sherwin of the Sourcefire-Snort Team is currently working on a 
pretty significant upgrade to http inspect.  We're interested in talking 
about what specifically your looking for from this feature to build out 
the feature definition and requirements to make a detemination of wether 
we think we should implement it.  This is a pretty cpu intensive task so 
we'd have to figure out how it helps amd whom it helps.  Many situations 
with high bandwidth networks could not even turn this on, so we have to 
examine all of the issues.  Is there a dfifference in need between 
inline and pure ids mode ?  Does it only make sense if we have hardware 
accelleration ?  etc...

I know from a pure research or theoretical point of view it's a must 
have, but snort is used in production environements under heavy load 
these days so we just have to move carfully.   Of course none of this 
prevents you from doing a preproc  to move ahead on your own.  ( We also 
have to consider other http issues, http tunnelling protocols is a 
pretty big deal as well for instance. ) 

So if you can better detail your requirements for this feature we might 
be able to respond more intelligently.

Will Metcalf wrote:

>Shouldn't be to hard to write, I would also like to see the preproc
>split out the actual payload from the http header stuff.  I'll look
>into it, I promise nothing as I'm pretty busy these days.
>On 1/2/06, Frank Knobbe <frank at ...2134...> wrote:
>>the third version of the metasploit for the WMF issue is capable of
>>gzipped HTTP responses. Any attack (and I have caught a few in the past)
>>that runs over compressed HTTP responses is not detected by Snort.
>>While a gunzip implementation in the http_inspect preprocessor is
>>certainly harmful to performance, I believe the capability should be
>>added nevertheless so that the user may enable it in times when it is
>>needed. Currently, with the next, still unpatched WMF exploits using
>>compressed HTTP, this capability is absolutely essential. Without it,
>>Snort can not compete against other IDS systems that support
>>decompression of gzipped HTTP traffic.
>>So my question to the developers is: Will Snort receive this capability
>>any time soon? Is anyone working on an http_inspect_gunzip preprocessor
>>It is said that the Internet is a public utility. As such, it is best
>>compared to a sewer. A big, fat pipe with a bunch of crap sloshing
>>against your ports.
>>Version: GnuPG v1.4.2 (FreeBSD)
>This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
>for problems?  Stop!  Download the new AJAX search engine that makes
>searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net

Marc Norton      Snort Team Lead
Sourcefire,Inc   410-423-1924
www.snort.org    www.sourcefire.com 

More information about the Snort-devel mailing list