[Snort-sigs] Another question about the inspect_gzip option in Snort 2.8.6
l0rdch0de1m0rt at ...2420...
Tue May 18 13:26:04 EDT 2010
Hello. I have a simple question about the inspect_gzip option in
Snort 2.8.6. I am reading in the manual where it says, on page 55 "To
enable compression of HTTP server response, Snort should be configured
with the –enable-zlib flag." I thought that the inspect_gzip option
just decompressed the gzip data for Snort, not compressed it. Or is
for in-line Snort where the inspected gzipped data gets gzipped back
up before being passed on? If so, why not just keep a copy of the
original gzipped data in a separate buffer and forward that instead.
I guess if you did that you'd have to drop the whole gzip buffer up to
max_gzip_mem bytes on an IPS drop event. Or am I reading too much
More information about the Snort-sigs