[Snort-sigs] Snorting gzip encoded http source code

Jason Haar Jason.Haar at ...651...
Mon Aug 30 16:44:21 EDT 2004

On Mon, Aug 30, 2004 at 06:58:09PM +0000, Abe Use wrote:
> I suppose I'll have my users connect through a proxy, and I'll have it 
> strip or replace the "accept encoding gzip" portion of the header- so that 
> I can match content plain-text. Would be cool though if snort was able to 
> inflate the gzip'd stream, and look through the content... or save the 
> stream and I could use something else to parse through it...

Yes - that feature makes NIDS increasingly useless for Web traffic. Similar
problem to HTTPS - and I think your solution mis similar to how we handle
HTTPS (put in a reverse proxy and sniff the unencrypted side). However
it'll mean you don't get any of the performance benefits of compressed
traffic - which is a pity...

A "uncompressor" preprocessor would be nice - but I have no idea what the
performance impact would be...


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list