Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Snort-users] how to write rule to match content in http responce gzip encoding?
411 views
Skip to first unread message
Mitesh Jadia
Dec 13, 2012, 12:57:44 PM12/13/12
to
Hello,
I am writing one rule like
content:"ABC";nocase;msg:....
http response is in gzip encoding and I have enabled ZLIB while configuring snort. Also http_inspect preprocessor configuration is set to extended_response_inspection. But this rule is not getting matched.
Please show me proper way.
Regards,
Mitesh
waldo kitty
Dec 13, 2012, 1:13:44 PM12/13/12
to
away... we cannot tell without seeing the rule...
there are several ways to do things and one answer is not always /the/ only
answer...
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
James Lay
Dec 13, 2012, 6:14:57 PM12/13/12
to
On 2012-12-13 10:57, Mitesh Jadia wrote:
> Hello,
>
> I am writing one rule like
> content:"ABC";nocase;msg:....
>
> http response is in gzip encoding and I have enabled ZLIB while
> configuring snort. Also http_inspect preprocessor configuration is
> set
> to extended_response_inspection. But this rule is not getting
> matched.
>
>
> Please show me proper way.
>
> Regards,> Hello,
>
> I am writing one rule like
> content:"ABC";nocase;msg:....
>
> http response is in gzip encoding and I have enabled ZLIB while
> configuring snort. Also http_inspect preprocessor configuration is
> set
> to extended_response_inspection. But this rule is not getting
> matched.
>
>
> Please show me proper way.
>
> Mitesh
Make sure you enable inspect_gzip in your http_inspect. You'll also
need the file_data; in order to normalize the content.
http://manual.snort.org/node398.html
Hope that helps.
James
Mitesh Jadia
Dec 14, 2012, 1:33:42 AM12/14/12
to
file_data was missing in my rule. It worked. Thank you.
Rule I was trying was
drop tcp any any -> any any (content:"ABC";nocase; msg:"detected in gzip response"; sid:10000001;)
This rule worked to detect in gzip content of http response.
drop tcp any any -> any any (file_data;content:"ABC";nocase; msg:"detected in gzip response"; sid:10000001;)
0 new messages