[Snort-users] Snort and gzip Encode Question

Joel Esler joel.esler at ...1935...
Fri Aug 19 07:06:14 EDT 2005


It is possible to catch a gzip'ed file by looking for the gzip's hex  
value..

I don't know if that is what you are looking for...  |1F 8B 08| is gz.
|50 4B 03 04| is .zip

Joel


On Aug 19, 2005, at 9:17 AM, dajackman wrote:

> I'm trying to come up with a rule to catch this Internet Explorer
> (.Net) 0day Exploit.  While playing around with a rule I came up with
> a question I haven't found the answer to.  Can snort do anything with
> compressed html/gzip
> encoding?  A quick google search and SNORT Doc peek didn't produce
> much.  Thanks.
>
> -dajackman
>
>
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle  
> Practices
> Agile & Plan-Driven Development * Managing Projects & Teams *  
> Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/ 
> bsce5sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list