[Snort-users] HTTP Response GZIP Decompression Failed

Dan Roberts danroberts2604 at ...11827...
Mon Jun 20 06:10:33 EDT 2016


Hello,

I note a lot of "(120:6) HTTP RESPONSE GZIP DECOMPRESSION FAILED " alerts
fired by my http_inspect preprocessor.

I read int he doc that "...the preprocessor generates an alert with gid 120
and sid 6 when the decompression fails."

Do you have any idea how I could check why does the decompression fails ?
Password protected files ?

In my confirg, unlimited_decompress is set and the decompress_depth is set
to 65535.
Max_gzip_mem is set to its default value (838860), and I didnt found any
max value to set for this.

Any idea ?

Thanks

Dan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160620/5a60136a/attachment.html>


More information about the Snort-users mailing list