https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022010-08-28T22:44:44ZOpen Information Security FoundationSuricata - Bug #229: Gzip & Chunk encoding issuehttps://redmine.openinfosecfoundation.org/issues/229?journal_id=8552010-08-28T22:44:44ZGurvinder Singhgurvindersinghdahiya@gmail.com
<ul><li><strong>File</strong> <a href="/attachments/316">out.log</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/316/out.log">out.log</a> added</li></ul><p>1. The sig provided are scanning the content keyword, where as the content which they intent to scan is in gzip format. So to detect correctly the attack, there should be app layer keyword with it. The correct sig for iframe will be</p>
<p>alert tcp any any -> any any (msg:"MALVERTISING hidden iframe served by nginx 2"; content:"iframe"; http_server_body; nocase; classtype:bad-unknown; sid:5600066; rev:1;)</p>
<p>As the content which needs to be scanned is in the http_body, which contains the unzipped contents of the packets. I am attaching the out put log from both the pcaps, which will show the content which both sigs are intent to find. This is generated by adding the callback function to htplib as</p>
<p>htp_config_register_response_body_data(cfglist.cfg, HTPCallbackRequestBodyData);</p>
<p>to merely show the content of unzipped contents.</p>
<p>2. Another issue is that we dont have http_server_body keyword to detect the attack such drive by downloads attacks. As the current keyword http_client_bidy look for only on the http requests. Hopefully support for this will be added soon.</p> Suricata - Bug #229: Gzip & Chunk encoding issuehttps://redmine.openinfosecfoundation.org/issues/229?journal_id=13692011-11-07T11:22:31ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Assignee</strong> set to <i>Victor Julien</i></li><li><strong>Target version</strong> set to <i>1.2</i></li></ul><p>Related to issue <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: gzipped http content does not get unzipped and processed (Closed)" href="https://redmine.openinfosecfoundation.org/issues/308">#308</a>.</p> Suricata - Bug #229: Gzip & Chunk encoding issuehttps://redmine.openinfosecfoundation.org/issues/229?journal_id=14352011-12-19T05:50:00ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Closed</i></li><li><strong>Target version</strong> changed from <i>1.2</i> to <i>1.2beta1</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>http_server_body and file_data have been implemented. Both inspect the normalized/dechunked/unzipped response body.</p>