[Snort-sigs] Snorting gzip encoded http source code

Abe Use neosporin1v1 at ...12...
Mon Aug 30 12:02:10 EDT 2004

I suppose I'll have my users connect through a proxy, and I'll have it strip 
or replace the "accept encoding gzip" portion of the header- so that I can 
match content plain-text. Would be cool though if snort was able to inflate 
the gzip'd stream, and look through the content... or save the stream and I 
could use something else to parse through it...

>From: "Abe Use" <neosporin1v1 at ...12...>
>To: snort-sigs at lists.sourceforge.net
>Subject: RE: [Snort-sigs] Snorting gzip encoded http source code
>Date: Fri, 27 Aug 2004 19:18:20 +0000
>I got my terms wrong, is there an Inflate for snort... deflate is what's 
>being sent already, thanks again.
>>From: "Abe Use" <neosporin1v1 at ...12...>
>>To: snort-sigs at lists.sourceforge.net
>>Subject: [Snort-sigs] Snorting gzip encoded http source code
>>Date: Fri, 27 Aug 2004 17:40:58 +0000
>>I hope this is a simple question, been investigating this for some time 
>>and not come up with anything yet...
>>I want to find a certain string in my web-page source code- but I use gzip 
>>encoding to deliver it , and my snort rules aren't catching it... is there 
>>away to do this... to "zcat" or "zgrep" http gzip encoded content? 
>>possibly using zlib?
>>I do not wish to DOS my site, so if you look at yahoo - you can see a very 
>>similar example
>>http://finance.yahoo.com/  some of the source is gziped, and then deflated 
>>by my machine, does snort have a deflate? So that I could pick out a 
>>string  for example with the yahoo link above... I'd like to find
>>"stocks" ... I don't see that string in my pcap... I hope I'm missing 
>>my rule is as follows for this example
>>alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"yahoo-test"; 
>>content:"|73 74 6F 63 6B 73|"; classtype: unknown;)
>>pcap is attached
>>Get ready for school! Find articles, homework help and more in the Back to 
>>School Guide! http://special.msn.com/network/04backtoschool.armx
>><< test-pcap.cap >>
>Express yourself instantly with MSN Messenger! Download today - it's FREE! 
>This SF.Net email is sponsored by BEA Weblogic Workshop
>FREE Java Enterprise J2EE developer tools!
>Get your free copy of BEA WebLogic Workshop 8.1 today.
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

FREE pop-up blocking with the new MSN Toolbar – get it now! 

More information about the Snort-sigs mailing list