[Snort-users] how to write rule to match content in http responce gzip encoding?

James Lay jlay at ...13475...
Thu Dec 13 18:14:57 EST 2012

On 2012-12-13 10:57, Mitesh Jadia wrote:
> Hello,
> I am writing one rule like    
>  content:"ABC";nocase;msg:....
> http response is in gzip encoding and I have enabled ZLIB while
> configuring snort. Also http_inspect preprocessor configuration is 
> set
> to extended_response_inspection. But this rule is not getting 
> matched.
> Please show me proper way.
> Regards,
> Mitesh

Make sure you enable inspect_gzip in your http_inspect.  You'll also 
need the file_data; in order to normalize the content.


Hope that helps.


More information about the Snort-users mailing list