[Snort-sigs] Snorting gzip encoded http source code

Abe Use neosporin1v1 at ...12...
Fri Aug 27 10:42:15 EDT 2004


I hope this is a simple question, been investigating this for some time and 
not come up with anything yet...

I want to find a certain string in my web-page source code- but I use gzip 
encoding to deliver it , and my snort rules aren't catching it... is there 
away to do this... to "zcat" or "zgrep" http gzip encoded content? possibly 
using zlib?

I do not wish to DOS my site, so if you look at yahoo - you can see a very 
similar example
http://finance.yahoo.com/  some of the source is gziped, and then deflated 
by my machine, does snort have a deflate? So that I could pick out a string  
for example with the yahoo link above... I'd like to find
"stocks" ... I don't see that string in my pcap... I hope I'm missing 
something...
my rule is as follows for this example

alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"yahoo-test"; content:"|73 
74 6F 63 6B 73|"; classtype: unknown;)

pcap is attached
-Abe

_________________________________________________________________
Get ready for school! Find articles, homework help and more in the Back to 
School Guide! http://special.msn.com/network/04backtoschool.armx
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test-pcap.cap
Type: application/octet-stream
Size: 11046 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040827/6c4e5fb4/attachment.obj>


More information about the Snort-sigs mailing list