Snort mailing list archives
Re: Snort and gzip Encode Question
From: dajackman <robby.lists () gmail com>
Date: Fri, 19 Aug 2005 10:35:48 -0400
Thanks for the reply. I was wondering if SNORT can decode compressed html. mod_gzip for Apache "...allows for using the compression method gzip for a significant reduction of the volume of web page content served over the HTTP protocol." http://www.schroepl.net/projekte/mod_gzip/ Basically the HTML content is compressed by the web server and sent to the browser where it is uncompressed. I'm thinking this may create some challenges with SNORT. -- -dajackman On 8/19/05, Joel Esler <joel.esler () sourcefire com> wrote:
It is possible to catch a gzip'ed file by looking for the gzip's hex value.. I don't know if that is what you are looking for... |1F 8B 08| is gz. |50 4B 03 04| is .zip Joel On Aug 19, 2005, at 9:17 AM, dajackman wrote:I'm trying to come up with a rule to catch this Internet Explorer (.Net) 0day Exploit. While playing around with a rule I came up with a question I haven't found the answer to. Can snort do anything with compressed html/gzip encoding? A quick google search and SNORT Doc peek didn't produce much. Thanks. -dajackman ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/ bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and gzip Encode Question dajackman (Aug 19)
- Re: Snort and gzip Encode Question Joel Esler (Aug 19)
- Re: Snort and gzip Encode Question dajackman (Aug 19)
- Re: Snort and gzip Encode Question Joel Esler (Aug 19)