[Snort-users] http content-encoding: gzip

Dave Rutherford dave at ...14014...
Sat Nov 14 11:44:50 EST 2009


On Sat, Nov 14, 2009 at 08:28, Adam Szabo <adamx001 at ...11827...> wrote:
> Do you know how to 'decrypt' a TCP packet with gzip content-encoding in the
> payload?
> For example if i visit google.com, Snort captures a TCP packet with this in
> the payload:
>
>> length = 1418
>>
>> 000 : 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D   HTTP/1.1 200 OK.
[...]
>> 100 : 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 33   ontent-Length: 3
>> 110 : 31 31 37 0D 0A 58 2D 58 53 53 2D 50 72 6F 74 65   117..X-XSS-Prote
>> 120 : 63 74 69 6F 6E 3A 20 30 0D 0A 0D 0A 1F 8B 08 00   ction: 0........
>>
>> 130 : 00 00 00 00 02 FF E5 5A DD 6E DB 38 16 7E 15 4E   .......Z.n.8.~.N
>> 140 : 83 41 52 C0 56 64 3B 71 1C BB CD 60 7F 66 3B C0   .AR.Vd;q...` f;.
>> 150 : 60 E7 66 BA D8 8B ED A2 A0 24 CA 62 4D FD 54 A4   `.f......$.bM.T.

Strip out all the bytes corresponding to the headers. Here that's everything
up to and including the 0D 0A 0D 0A on line 120. Then delete the first and last
columns so you have only the hex bytes remaining. Reformat at one "byte"
per line, so it looks like this:

1F
8B
08
00
00
00
00
00
02
FF
E5
5A
DD
6E
DB
... etc.

Let's call this file tmp.hex.  Using bash,

$ while read w; do echo $((0x$w)); done < tmp.hex |
    awk '{ printf "%c", $1; }' |
    zcat

I won't spoil your surprise at what you've captured, here, but
this method certainly does decode it.

Regards,
   Dave




More information about the Snort-users mailing list