[Snort-devel] http_gunzip preprocessor
mnorton at ...402...
Tue Jan 3 11:05:01 EST 2006
Chris Sherwin of the Sourcefire-Snort Team is currently working on a
pretty significant upgrade to http inspect. We're interested in talking
about what specifically your looking for from this feature to build out
the feature definition and requirements to make a detemination of wether
we think we should implement it. This is a pretty cpu intensive task so
we'd have to figure out how it helps amd whom it helps. Many situations
with high bandwidth networks could not even turn this on, so we have to
examine all of the issues. Is there a dfifference in need between
inline and pure ids mode ? Does it only make sense if we have hardware
accelleration ? etc...
I know from a pure research or theoretical point of view it's a must
have, but snort is used in production environements under heavy load
these days so we just have to move carfully. Of course none of this
prevents you from doing a preproc to move ahead on your own. ( We also
have to consider other http issues, http tunnelling protocols is a
pretty big deal as well for instance. )
So if you can better detail your requirements for this feature we might
be able to respond more intelligently.
Will Metcalf wrote:
>Shouldn't be to hard to write, I would also like to see the preproc
>split out the actual payload from the http header stuff. I'll look
>into it, I promise nothing as I'm pretty busy these days.
>On 1/2/06, Frank Knobbe <frank at ...2134...> wrote:
>>the third version of the metasploit for the WMF issue is capable of
>>gzipped HTTP responses. Any attack (and I have caught a few in the past)
>>that runs over compressed HTTP responses is not detected by Snort.
>>While a gunzip implementation in the http_inspect preprocessor is
>>certainly harmful to performance, I believe the capability should be
>>added nevertheless so that the user may enable it in times when it is
>>needed. Currently, with the next, still unpatched WMF exploits using
>>compressed HTTP, this capability is absolutely essential. Without it,
>>Snort can not compete against other IDS systems that support
>>decompression of gzipped HTTP traffic.
>>So my question to the developers is: Will Snort receive this capability
>>any time soon? Is anyone working on an http_inspect_gunzip preprocessor
>>It is said that the Internet is a public utility. As such, it is best
>>compared to a sewer. A big, fat pipe with a bunch of crap sloshing
>>against your ports.
>>-----BEGIN PGP SIGNATURE-----
>>Version: GnuPG v1.4.2 (FreeBSD)
>>-----END PGP SIGNATURE-----
>This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
>for problems? Stop! Download the new AJAX search engine that makes
>searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
Marc Norton Snort Team Lead
More information about the Snort-devel