Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Snort and gzip Encode Question

from [dajackman] Network Security [Permanent Link]
Subject: Re: [Snort-users] Snort and gzip Encode Question
Date: Fri, 19 Aug 2005 10:35:48 -0400 
Thanks for the reply.  I was wondering if SNORT can decode compressed
html.  mod_gzip for Apache "...allows for using the compression method
gzip for a significant reduction of the volume of web page content
served over the HTTP protocol."
http://www.schroepl.net/projekte/mod_gzip/

Basically the HTML content is compressed by the web server and sent to
the browser where it is uncompressed.  I'm thinking this may create
some challenges with SNORT.

-- 
-dajackman

On 8/19/05, Joel Esler <joel.esler@sourcefire.com> wrote:

It is possible to catch a gzip'ed file by looking for the gzip's hex
value..

I don't know if that is what you are looking for...  |1F 8B 08| is gz.
|50 4B 03 04| is .zip

Joel


On Aug 19, 2005, at 9:17 AM, dajackman wrote:


I'm trying to come up with a rule to catch this Internet Explorer
(.Net) 0day Exploit.  While playing around with a rule I came up with
a question I haven't found the answer to.  Can snort do anything with
compressed html/gzip
encoding?  A quick google search and SNORT Doc peek didn't produce
much.  Thanks.

-dajackman


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle
Practices
Agile & Plan-Driven Development * Managing Projects & Teams *
Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/
bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re[4]: [Snort-users] unified format, Roland Turner (SourceForge)
Next by Date:  Fwd: Re[4]: [Snort-users] unified format, Bamm Visscher
Previous by Thread:  Re: [Snort-users] Snort and gzip Encode Question, Joel Esler
Next by Thread:  [Snort-users] Bleeding Rules not detecting, Brian Blake
Indexes:  [Date] [Thread] [Top] [All Lists]