[Snort-devel] http_gunzip preprocessor

Jason security at ...1585...
Thu Jan 5 11:04:01 EST 2006


Michael Loftis wrote:
>> Could we please keep the devel list focused on the technical aspects and
>> not abuse it for misguided evangelism?
> 
> 
> I have to agree, the replies Frank is getting are downright troll-ish. 
> I think being able to inspect, or atleast *OFFER* the option to inspect
> (even a portion of) compressed content of HTTP streams is essential. 
> It's no different than looking at the content of any other packet. 
> Yeah, it requires more work, yeah there are pitfalls.  But as long as
> they're documented (which you guys have completely beat the damned dead
> horse on) there's no reason NOT to allow that feature assuming it works
> well and doesn't introduce any new bugs.  For SNORT this might mean a
> modified implementation because it would need to STOP possibly even
> partially through decoding a block, as soon as it hit it's limit.  It
> would also need to be very robust in the face of malicious data designed
> to trip up the sensor.
> 
> Yeah using it as a content screen is misusing it, but ffs, nothing
> prevents someone who has too much time and CPU on their hands to doing
> it.  Just because a feature is there doesn't mean that's what it'll be
> used for, so drop it.
> 
> Things can be taken one step at a time.  Right now all that's wanted is
> the ability to begin to spot signatures of malicious worm code in
> compressed HTTP streams....correct me if I'm wrong, but doesn't snort
> already have signatures do (things like) that for uncompressed streams?
> 

Would anyone like to write the preprocessor and submit it? It takes time
to develop these things and put them through the paces.

It sounds to me that the majority of the people that could write it do
not yet see a justification for diverting resources to this instead of
working on more tangible problems that have wider appeal and purpose.

I would be happy to offer assistance to the person that takes on
developing the pp but I do not have the free time to get to it for a few
months.




More information about the Snort-devel mailing list