Suricata

1. The sig provided are scanning the content keyword, where as the content which they intent to scan is in gzip format. So to detect correctly the attack, there should be app layer keyword with it. The correct sig for iframe will be

alert tcp any any -> any any (msg:"MALVERTISING hidden iframe served by nginx 2"; content:"iframe"; http_server_body; nocase; classtype:bad-unknown; sid:5600066; rev:1;)

As the content which needs to be scanned is in the http_body, which contains the unzipped contents of the packets. I am attaching the out put log from both the pcaps, which will show the content which both sigs are intent to find. This is generated by adding the callback function to htplib as

htp_config_register_response_body_data(cfglist.cfg, HTPCallbackRequestBodyData);

to merely show the content of unzipped contents.

2. Another issue is that we dont have http_server_body keyword to detect the attack such drive by downloads attacks. As the current keyword http_client_bidy look for only on the http requests. Hopefully support for this will be added soon.

Related to issue #308.

http_server_body and file_data have been implemented. Both inspect the normalized/dechunked/unzipped response body.