[Snort-sigs] Another question about the inspect_gzip option in Snort 2.8.6

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...2420...
Tue May 18 13:26:04 EDT 2010


Hello.  I have a simple question about the inspect_gzip option in
Snort 2.8.6.  I am reading in the manual where it says, on page 55 "To
enable compression of HTTP server response, Snort should be configured
with the –enable-zlib flag."  I thought that the inspect_gzip option
just decompressed the gzip data for Snort, not compressed it.  Or is
for in-line Snort where the inspected gzipped data gets gzipped back
up before being passed on?  If so, why not just keep a copy of the
original gzipped data in a separate buffer and forward that instead.
I guess if you did that you'd have to drop the whole gzip buffer up to
max_gzip_mem bytes on an IPS drop event.  Or am I reading too much
into this?

Thanks.

-L0rd Ch0de1m0rt




More information about the Snort-sigs mailing list