[Snort-users] http content-encoding: gzip

Adam Szabo adamx001 at ...11827...
Sat Nov 14 13:15:41 EST 2009


Thank you a lot both!

Adam Szabo

On Sat, Nov 14, 2009 at 7:03 PM, Richard Bejtlich <taosecurity at ...11827...>wrote:

> On Sat, Nov 14, 2009 at 8:28 AM, Adam Szabo <adamx001 at ...11827...> wrote:
> > Hello,
> >
> > Do you know how to 'decrypt' a TCP packet with gzip content-encoding in
> the
> > payload?
>
> Wireshark and Tshark will do this for you automatically.  For example,
> I visited www.google.com and captured the traffic with Wireshark.
> Tshark renders a gzip-encoded response as gzip-encoded, then decoded.
>
> Reassembled TCP (4138 bytes):
>
> 0000  48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d   HTTP/1.1 200 OK.
> 0010  0a 45 78 70 69 72 65 73 3a 20 53 61 74 2c 20 31   .Expires: Sat, 1
> 0020  33 20 4e 6f 76 20 32 30 31 30 20 30 30 3a 30 30   3 Nov 2010 00:00
> 0030  3a 30 30 20 47 4d 54 0d 0a 4c 61 73 74 2d 4d 6f   :00 GMT..Last-Mo
> 0040  64 69 66 69 65 64 3a 20 53 61 74 2c 20 31 35 20   dified: Sat, 15
> 0050  4e 6f 76 20 32 30 30 38 20 30 30 3a 30 30 3a 30   Nov 2008 00:00:0
> 0060  30 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54   0 GMT..Content-T
> 0070  79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20   ype: text/html;
> 0080  63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43   charset=UTF-8..C
> 0090  6f 6e 74 65 6e 74 2d 45 6e 63 6f 64 69 6e 67 3a   ontent-Encoding:
> 00a0  20 67 7a 69 70 0d 0a 44 61 74 65 3a 20 53 61 74    gzip..Date: Sat
> 00b0  2c 20 31 34 20 4e 6f 76 20 32 30 30 39 20 31 37   , 14 Nov 2009 17
> 00c0  3a 35 35 3a 34 33 20 47 4d 54 0d 0a 53 65 72 76   :55:43 GMT..Serv
> 00d0  65 72 3a 20 67 77 73 0d 0a 43 61 63 68 65 2d 43   er: gws..Cache-C
> 00e0  6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c   ontrol: private,
> 00f0  20 78 2d 67 7a 69 70 2d 6f 6b 3d 22 22 0d 0a 43    x-gzip-ok=""..C
> 0100  6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 33   ontent-Length: 3
> 0110  38 33 38 0d 0a 58 2d 58 53 53 2d 50 72 6f 74 65   838..X-XSS-Prote
> 0120  63 74 69 6f 6e 3a 20 30 0d 0a 0d 0a 1f 8b 08 00   ction: 0........
> 0130  00 00 00 00 02 ff e5 5a 0b 8f e3 b8 91 fe 2b dc   .......Z......+.
> 0140  69 2c 7a 26 b0 65 c9 76 db 6e 7b 67 16 49 76 33   i,z&.e.v.n{g.Iv3
> 0150  39 e0 12 2c 32 83 3b 1c 6e 0f 03 4a a2 2c cd 48   9..,2.;.n..J.,.H
> 0160  a2 46 a4 da dd 63 f8 bf a7 8a 0f 89 92 e5 7e 2c   .F...c........~,
> 0170  92 43 80 a0 d1 32 45 91 55 1f eb c5 2a 4a 77 b4   .C...2E.U...*Jw.
> ...truncated...
>
> Uncompressed entity body (13577 bytes):
>
> 0000  76 61 72 20 6a 65 20 3d 20 67 6f 6f 67 6c 65 2e   var je = google.
> 0010  6a 3b 76 61 72 20 64 72 20 3d 20 30 3b 76 61 72   j;var dr = 0;var
> 0020  20 66 70 20 3d 20 27 38 61 34 66 35 32 38 37 36    fp = '8a4f52876
> 0030  35 65 39 32 30 63 31 27 3b 76 61 72 20 5f 6c 6f   5e920c1';var _lo
> 0040  63 20 3d 20 27 27 3b 76 61 72 20 5f 73 73 20 3d   c = '';var _ss =
> 0050  20 30 3b 6a 65 2e 61 63 28 7b 63 73 73 3a 27 5c    0;je.ac({css:'\
> 0060  78 33 63 73 74 79 6c 65 5c 78 33 65 62 6f 64 79   x3cstyle\x3ebody
> 0070  7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66   {background:#fff
> 0080  3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 6d 61 72 67   ;color:#000;marg
> 0090  69 6e 3a 33 70 78 20 38 70 78 7d 23 67 62 61 72   in:3px 8px}#gbar
> 00a0  7b 66 6c 6f 61 74 3a 6c 65 66 74 3b 68 65 69 67   {float:left;heig
> 00b0  68 74 3a 32 32 70 78 7d 2e 67 62 68 2c 2e 67 62   ht:22px}.gbh,.gb
> 00c0  64 7b 62 6f 72 64 65 72 2d 74 6f 70 3a 31 70 78   d{border-top:1px
> 00d0  20 73 6f 6c 69 64 20 23 63 39 64 37 66 31 3b 66    solid #c9d7f1;f
> 00e0  6f 6e 74 2d 73 69 7a 65 3a 31 70 78 7d 2e 67 62   ont-size:1px}.gb
> 00f0  68 7b 68 65 69 67 68 74 3a 30 3b 70 6f 73 69 74   h{height:0;posit
> 0100  69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70   ion:absolute;top
> 0110  3a 32 34 70 78 3b 77 69 64 74 68 3a 31 30 30 25   :24px;width:100%
> 0120  7d 23 67 62 69 2c 23 67 62 67 2c 23 67 62 73 2c   }#gbi,#gbg,#gbs,
> 0130  23 67 62 6d 7b 62 61 63 6b 67 72 6f 75 6e 64 3a   #gbm{background:
> 0140  23 66 66 66 3b 6c 65 66 74 3a 30 3b 70 6f 73 69   #fff;left:0;posi
> 0150  74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 65   tion:absolute;te
>
> Sincerely,
>
> Richard
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091114/93b00747/attachment.html>


More information about the Snort-users mailing list