[Snort-sigs] Snorting gzip encoded http source code

Abe Use neosporin1v1 at ...12...
Fri Aug 27 12:19:05 EDT 2004


I got my terms wrong, is there an Inflate for snort... deflate is what's 
being sent already, thanks again.


>From: "Abe Use" <neosporin1v1 at ...12...>
>To: snort-sigs at lists.sourceforge.net
>Subject: [Snort-sigs] Snorting gzip encoded http source code
>Date: Fri, 27 Aug 2004 17:40:58 +0000
>
>I hope this is a simple question, been investigating this for some time and 
>not come up with anything yet...
>
>I want to find a certain string in my web-page source code- but I use gzip 
>encoding to deliver it , and my snort rules aren't catching it... is there 
>away to do this... to "zcat" or "zgrep" http gzip encoded content? possibly 
>using zlib?
>
>I do not wish to DOS my site, so if you look at yahoo - you can see a very 
>similar example
>http://finance.yahoo.com/  some of the source is gziped, and then deflated 
>by my machine, does snort have a deflate? So that I could pick out a string 
>  for example with the yahoo link above... I'd like to find
>"stocks" ... I don't see that string in my pcap... I hope I'm missing 
>something...
>my rule is as follows for this example
>
>alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"yahoo-test"; 
>content:"|73 74 6F 63 6B 73|"; classtype: unknown;)
>
>pcap is attached
>-Abe
>
>_________________________________________________________________
>Get ready for school! Find articles, homework help and more in the Back to 
>School Guide! http://special.msn.com/network/04backtoschool.armx
><< test-pcap.cap >>

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/





More information about the Snort-sigs mailing list