[Snort-users] [GZIP] Gzip inspection isn't working

Pablo Artuso artusopablo at ...11827...
Wed Aug 13 07:49:28 EDT 2014


Hi everybody,
The reason of this request is to ask for help matching some content in a
http response which is compressed with gzip.
I have been doing a lot of research (web pages, snort manual, etc) in order
to configurate properly the http inspect preproccesor for decompress and
analyze gzip, but without any positive result.

Here is my http_inspect and stream5 configuration:

    ---------------------------------------------------------------
    preprocessor stream5_global: \
      track_tcp yes \
      track_udp yes
    preprocessor stream5_tcp: \
      policy bsd, \
      timeout 86400, \
      ports both all
    preprocessor stream5_udp: \
      timeout 86400

    ---------------------------------------------------------------
    preprocessor http_inspect: \
      global \
      iis_unicode_map unicode.map 1252 \
      compress_depth 65535 decompress_depth 65535 \
    ---------------------------------------------------------------
    preprocessor http_inspect_server: \
      server default \
      profile all \
      client_flow_depth 0 \
      server_flow_depth 0 \
      post_depth 0 \
      extended_response_inspection \
      inspect_gzip \
      normalize_utf \
      normalize_headers \
      normalize_javascript \
      unlimited_decompress \
      ports { 80 8080 }
      ---------------------------------------------------------------

When I start snort, the following information is prompt:
    - Inspect HTTP Responses: YES
    - Normalize HTTP Headers: YES
    - Normalize Javascripts in HTTP Responses: YES
    - Unlimited decompression of gzip data from responses: YES
    - Extract Gzip from responses: YES

The rule I'm trying to match is something like this:
    -) alert tcp Ip $HttpPorts -> any any ( flow: to_client; file_data;
content: "Earphones"; msg: "Earphones"; sid: 5000001; )


>From Wireshark, I can see the "Earphones" string inside the packet
decompress payload, but the rule doesn't trigger.




Every kind of help will be very appreciate.
Thanks very much!
Cheers,
Pablo

PS: I've also seen and tried these links without any luck:
            -
http://blog.snort.org/2012/01/snort-2920-javascript-normalization.html
            -
https://groups.google.com/forum/#!topic/mailing.unix.snort/eZgUhdKTle0
            - http://seclists.org/snort/2012/q2/646
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140813/ede51cc7/attachment.html>


More information about the Snort-users mailing list