[Snort-devel] http_gunzip preprocessor

Frank Knobbe frank at ...2134...
Thu Jan 5 11:16:02 EST 2006


On Thu, 2006-01-05 at 14:03 -0500, Jason wrote:
> Would anyone like to write the preprocessor and submit it? It takes time
> to develop these things and put them through the paces.

Dude, I'd love to do that. But my Snortsam todo is already piling up
with ToDo I'm not able to find time for. If you bend space-time to give
me about 34 hour days, I'd be happy too. I know you have the same
problem. :/

But we're in early discussion here. A couple more thoughts:

- Take a look how much gzipped content there is in normal traffic flows.
Take a look at how big it is. We're not talking gzipped images and large
files, not even most web pages. Remember, it is also a performance
impact on the web server, so server operators like to avoid it too.

There are small java scripts here and there that are gzipped. Spending
cycles on those few should not be a burden to Snort.

- Make it an option: How about a http_gzip_select var that can be:
  * none or off: Disabled this plugin
  * all: Decompresses all compressed HTTP responses up to
gzip_flow_depth... of course only where content is actually compressed.
  * select: Make it dependent on the rule. If the option
"http_unzip:<num bytes>;" is present in a rule, only then unzip up until
the desired depth (overrides the default depth)

That way you can write specific rules that gunzip content and you
further ease the total load on the sensor by not unzipping on rules that
don't need it.


If I knew more about preprocessors and how to rewrite incoming streams,
I'd be more inclined to tackle this. Just the time for me to get up to
speed on that is prohibitive for me at the moment.


(don't say, spend your time coding instead of writing emails. you don't
know how much I multitask around here... :)

-Frank


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20060105/f072a2aa/attachment.sig>


More information about the Snort-devel mailing list