[Snort-users] Snort and gzip Encode Question

dajackman robby.lists at ...11827...
Fri Aug 19 07:38:07 EDT 2005


Thanks for the reply.  I was wondering if SNORT can decode compressed
html.  mod_gzip for Apache "...allows for using the compression method
gzip for a significant reduction of the volume of web page content
served over the HTTP protocol."
http://www.schroepl.net/projekte/mod_gzip/

Basically the HTML content is compressed by the web server and sent to
the browser where it is uncompressed.  I'm thinking this may create
some challenges with SNORT.

-- 
-dajackman

On 8/19/05, Joel Esler <joel.esler at ...1935...> wrote:
> It is possible to catch a gzip'ed file by looking for the gzip's hex
> value..
> 
> I don't know if that is what you are looking for...  |1F 8B 08| is gz.
> |50 4B 03 04| is .zip
> 
> Joel
> 
> 
> On Aug 19, 2005, at 9:17 AM, dajackman wrote:
> 
> > I'm trying to come up with a rule to catch this Internet Explorer
> > (.Net) 0day Exploit.  While playing around with a rule I came up with
> > a question I haven't found the answer to.  Can snort do anything with
> > compressed html/gzip
> > encoding?  A quick google search and SNORT Doc peek didn't produce
> > much.  Thanks.
> >
> > -dajackman
> >
> >
> > -------------------------------------------------------
> > SF.Net email is Sponsored by the Better Software Conference & EXPO
> > September 19-22, 2005 * San Francisco, CA * Development Lifecycle
> > Practices
> > Agile & Plan-Driven Development * Managing Projects & Teams *
> > Testing & QA
> > Security * Process Improvement & Measurement * http://www.sqe.com/
> > bsce5sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> 
>




More information about the Snort-users mailing list