[Snort-users] how to write rule to match content in http responce gzip encoding?
jlay at ...13475...
Thu Dec 13 18:14:57 EST 2012
On 2012-12-13 10:57, Mitesh Jadia wrote:
> I am writing one rule like
> http response is in gzip encoding and I have enabled ZLIB while
> configuring snort. Also http_inspect preprocessor configuration is
> to extended_response_inspection. But this rule is not getting
> Please show me proper way.
Make sure you enable inspect_gzip in your http_inspect. You'll also
need the file_data; in order to normalize the content.
Hope that helps.
More information about the Snort-users