[Snort-users] how to write rule to match content in http responce gzip encoding?

James Lay jlay at ...13475...
Thu Dec 13 18:14:57 EST 2012


On 2012-12-13 10:57, Mitesh Jadia wrote:
> Hello,
>
> I am writing one rule like    
>  content:"ABC";nocase;msg:....
>
> http response is in gzip encoding and I have enabled ZLIB while
> configuring snort. Also http_inspect preprocessor configuration is 
> set
> to extended_response_inspection. But this rule is not getting 
> matched.
>
>
> Please show me proper way.
>
> Regards,
> Mitesh


Make sure you enable inspect_gzip in your http_inspect.  You'll also 
need the file_data; in order to normalize the content.

http://manual.snort.org/node398.html

Hope that helps.

James




More information about the Snort-users mailing list