IDS: Snort vs. compressed HTML

["Gary Freeman" <Gary.Freeman () rci rogers com>]

Good day list...

I have been searching a number of IDS lists (including focus-ids) in
hopes of finding a solution for a problem I have in detecting URI string
content with Snort 2.x. and compressed html. I can't seem to find any
answers. I Googled first ;)

There doesn't seem to be any preprocessors or reassemblers for
compressed HTTP (commonly known as "transfer-encoding" or
"content-encoding") defined by RFC 2616: HTTP 1.1
http://www.w3.org/Protocols/rfc2616/rfc2616.html

I would like the ability to pattern-match strings of text in
encoded-HTML but accelerators that use the likes of GZIP or Compress
before forwarding the content reduces the data to gobbley-goop, to which
it's unreadable right off the wire.

Has anyone else had this problem and if so what would you suggest?  I
can't normalize the data with a proxy or web caches do to our
architecture.  Is there a way (plugins, prepocessors, etc) of getting
snort to capture and decode GZIP or Compress data so that I can do my
URI match?

Thanks,

GTF
********************************************
This transmission may contain information
that is privileged, confidential and/or
exempt from disclosure under applicable law.
If you are not the intended recipient,
do not read the contents and
delete it immediately.
********************************************

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------