[Snort-users] Snort 2.8.6-beta and gzip encoding

Alex Kirk akirk at ...1935...
Tue Jan 19 15:51:47 EST 2010

I spent this morning testing this myself, and it appears that some bugs
remain in the gzip code - both in regards to stream reassembly and return
codes from zlib that indicate success, but in different ways. I've filed
some internal bugs here, and hopefully fixes will be forthcoming reasonably
soon. For now, though, I wouldn't expect a great deal of success with gzip

On Thu, Jan 14, 2010 at 7:52 AM, <luismanuel.carril at ...14693...> wrote:

> Hi
>   I have been trying to use the new gzip feature to detect words in
> the HTTP body response, but I am unable to detect anything.
>   I have compiled Snort with --enable-zlib and at the conf file I
> have configured the http_inspect_server  in this way:
> preporcessor http_inspect_server: server default \
>   profile all ports {80 8080 8180} oversize_dir_length 500
> server_flow_depth 1460 extended_response_inspection inspect_gzip
> compress_depth 1460 decompress_depth 20480
>   Has someone had success with this?
> Thanks in advance
> Luis M.
> ------------------------------------------------------------------------------
> Throughout its 18-year history, RSA Conference consistently attracts the
> world's best and brightest in the field, creating opportunities for
> Conference
> attendees to learn about information security's most important issues
> through
> interactions with peers, luminaries and emerging and established companies.
> http://p.sf.net/sfu/rsaconf-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100119/01fd61f1/attachment.html>

More information about the Snort-users mailing list