[Snort-users] Snort and gzip Encode Question
robby.lists at ...11827...
Fri Aug 19 07:38:07 EDT 2005
Thanks for the reply. I was wondering if SNORT can decode compressed
html. mod_gzip for Apache "...allows for using the compression method
gzip for a significant reduction of the volume of web page content
served over the HTTP protocol."
Basically the HTML content is compressed by the web server and sent to
the browser where it is uncompressed. I'm thinking this may create
some challenges with SNORT.
On 8/19/05, Joel Esler <joel.esler at ...1935...> wrote:
> It is possible to catch a gzip'ed file by looking for the gzip's hex
> I don't know if that is what you are looking for... |1F 8B 08| is gz.
> |50 4B 03 04| is .zip
> On Aug 19, 2005, at 9:17 AM, dajackman wrote:
> > I'm trying to come up with a rule to catch this Internet Explorer
> > (.Net) 0day Exploit. While playing around with a rule I came up with
> > a question I haven't found the answer to. Can snort do anything with
> > compressed html/gzip
> > encoding? A quick google search and SNORT Doc peek didn't produce
> > much. Thanks.
> > -dajackman
> > -------------------------------------------------------
> > SF.Net email is Sponsored by the Better Software Conference & EXPO
> > September 19-22, 2005 * San Francisco, CA * Development Lifecycle
> > Practices
> > Agile & Plan-Driven Development * Managing Projects & Teams *
> > Testing & QA
> > Security * Process Improvement & Measurement * http://www.sqe.com/
> > bsce5sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
More information about the Snort-users