[Snort-users] http content-encoding: gzip

Richard Bejtlich taosecurity at ...11827...
Sat Nov 14 13:03:34 EST 2009


On Sat, Nov 14, 2009 at 8:28 AM, Adam Szabo <adamx001 at ...11827...> wrote:
> Hello,
>
> Do you know how to 'decrypt' a TCP packet with gzip content-encoding in the
> payload?

Wireshark and Tshark will do this for you automatically.  For example,
I visited www.google.com and captured the traffic with Wireshark.
Tshark renders a gzip-encoded response as gzip-encoded, then decoded.

Reassembled TCP (4138 bytes):

0000  48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d   HTTP/1.1 200 OK.
0010  0a 45 78 70 69 72 65 73 3a 20 53 61 74 2c 20 31   .Expires: Sat, 1
0020  33 20 4e 6f 76 20 32 30 31 30 20 30 30 3a 30 30   3 Nov 2010 00:00
0030  3a 30 30 20 47 4d 54 0d 0a 4c 61 73 74 2d 4d 6f   :00 GMT..Last-Mo
0040  64 69 66 69 65 64 3a 20 53 61 74 2c 20 31 35 20   dified: Sat, 15
0050  4e 6f 76 20 32 30 30 38 20 30 30 3a 30 30 3a 30   Nov 2008 00:00:0
0060  30 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54   0 GMT..Content-T
0070  79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20   ype: text/html;
0080  63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43   charset=UTF-8..C
0090  6f 6e 74 65 6e 74 2d 45 6e 63 6f 64 69 6e 67 3a   ontent-Encoding:
00a0  20 67 7a 69 70 0d 0a 44 61 74 65 3a 20 53 61 74    gzip..Date: Sat
00b0  2c 20 31 34 20 4e 6f 76 20 32 30 30 39 20 31 37   , 14 Nov 2009 17
00c0  3a 35 35 3a 34 33 20 47 4d 54 0d 0a 53 65 72 76   :55:43 GMT..Serv
00d0  65 72 3a 20 67 77 73 0d 0a 43 61 63 68 65 2d 43   er: gws..Cache-C
00e0  6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c   ontrol: private,
00f0  20 78 2d 67 7a 69 70 2d 6f 6b 3d 22 22 0d 0a 43    x-gzip-ok=""..C
0100  6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 33   ontent-Length: 3
0110  38 33 38 0d 0a 58 2d 58 53 53 2d 50 72 6f 74 65   838..X-XSS-Prote
0120  63 74 69 6f 6e 3a 20 30 0d 0a 0d 0a 1f 8b 08 00   ction: 0........
0130  00 00 00 00 02 ff e5 5a 0b 8f e3 b8 91 fe 2b dc   .......Z......+.
0140  69 2c 7a 26 b0 65 c9 76 db 6e 7b 67 16 49 76 33   i,z&.e.v.n{g.Iv3
0150  39 e0 12 2c 32 83 3b 1c 6e 0f 03 4a a2 2c cd 48   9..,2.;.n..J.,.H
0160  a2 46 a4 da dd 63 f8 bf a7 8a 0f 89 92 e5 7e 2c   .F...c........~,
0170  92 43 80 a0 d1 32 45 91 55 1f eb c5 2a 4a 77 b4   .C...2E.U...*Jw.
...truncated...

Uncompressed entity body (13577 bytes):

0000  76 61 72 20 6a 65 20 3d 20 67 6f 6f 67 6c 65 2e   var je = google.
0010  6a 3b 76 61 72 20 64 72 20 3d 20 30 3b 76 61 72   j;var dr = 0;var
0020  20 66 70 20 3d 20 27 38 61 34 66 35 32 38 37 36    fp = '8a4f52876
0030  35 65 39 32 30 63 31 27 3b 76 61 72 20 5f 6c 6f   5e920c1';var _lo
0040  63 20 3d 20 27 27 3b 76 61 72 20 5f 73 73 20 3d   c = '';var _ss =
0050  20 30 3b 6a 65 2e 61 63 28 7b 63 73 73 3a 27 5c    0;je.ac({css:'\
0060  78 33 63 73 74 79 6c 65 5c 78 33 65 62 6f 64 79   x3cstyle\x3ebody
0070  7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66   {background:#fff
0080  3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 6d 61 72 67   ;color:#000;marg
0090  69 6e 3a 33 70 78 20 38 70 78 7d 23 67 62 61 72   in:3px 8px}#gbar
00a0  7b 66 6c 6f 61 74 3a 6c 65 66 74 3b 68 65 69 67   {float:left;heig
00b0  68 74 3a 32 32 70 78 7d 2e 67 62 68 2c 2e 67 62   ht:22px}.gbh,.gb
00c0  64 7b 62 6f 72 64 65 72 2d 74 6f 70 3a 31 70 78   d{border-top:1px
00d0  20 73 6f 6c 69 64 20 23 63 39 64 37 66 31 3b 66    solid #c9d7f1;f
00e0  6f 6e 74 2d 73 69 7a 65 3a 31 70 78 7d 2e 67 62   ont-size:1px}.gb
00f0  68 7b 68 65 69 67 68 74 3a 30 3b 70 6f 73 69 74   h{height:0;posit
0100  69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70   ion:absolute;top
0110  3a 32 34 70 78 3b 77 69 64 74 68 3a 31 30 30 25   :24px;width:100%
0120  7d 23 67 62 69 2c 23 67 62 67 2c 23 67 62 73 2c   }#gbi,#gbg,#gbs,
0130  23 67 62 6d 7b 62 61 63 6b 67 72 6f 75 6e 64 3a   #gbm{background:
0140  23 66 66 66 3b 6c 65 66 74 3a 30 3b 70 6f 73 69   #fff;left:0;posi
0150  74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 65   tion:absolute;te

Sincerely,

Richard




More information about the Snort-users mailing list