[Snort-users] how to write rule to match content in http responce gzip encoding?

Mitesh Jadia mitesh.jadia at ...11827...
Fri Dec 14 01:33:42 EST 2012


file_data was missing in my rule. It worked. Thank you.

Rule I was trying was

drop tcp any any -> any any (content:"ABC";nocase; msg:"detected in gzip
response"; sid:10000001;)

This rule worked to detect in gzip content of http response.
drop tcp any any -> any any (file_data;content:"ABC";nocase; msg:"detected
in gzip response"; sid:10000001;)


On Fri, Dec 14, 2012 at 4:44 AM, James Lay <jlay at ...13475...> wrote:

> On 2012-12-13 10:57, Mitesh Jadia wrote:
> > Hello,
> >
> > I am writing one rule like
> >  content:"ABC";nocase;msg:....
> >
> > http response is in gzip encoding and I have enabled ZLIB while
> > configuring snort. Also http_inspect preprocessor configuration is
> > set
> > to extended_response_inspection. But this rule is not getting
> > matched.
> >
> >
> > Please show me proper way.
> >
> > Regards,
> > Mitesh
>
>
> Make sure you enable inspect_gzip in your http_inspect.  You'll also
> need the file_data; in order to normalize the content.
>
> http://manual.snort.org/node398.html
>
> Hope that helps.
>
> James
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121214/cdbfaeed/attachment.html>


More information about the Snort-users mailing list