[Snort-users] how to write rule to match content in http responce gzip encoding?

waldo kitty wkitty42 at ...14940...
Thu Dec 13 13:13:44 EST 2012


On 12/13/2012 12:57, Mitesh Jadia wrote:
> Hello,
>
> I am writing one rule like
>   content:"ABC";nocase;msg:....
>
> http response is in gzip encoding and I have enabled ZLIB while configuring
> snort. Also http_inspect preprocessor configuration is set to
> extended_response_inspection. But this rule is not getting matched.
>
> Please show me proper way.

post the rule that you have as it is... you may be close or you may be a world 
away... we cannot tell without seeing the rule...

there are several ways to do things and one answer is not always /the/ only 
answer...




More information about the Snort-users mailing list