Bug #2510: Suricata doesnt decompress HTTP Post body - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #2510

closed

AA PA

Suricata doesnt decompress HTTP Post body

Bug #2510: Suricata doesnt decompress HTTP Post body

Added by ajaxtpm ajaxtpm almost 8 years ago. Updated over 4 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

7.0.0-beta1

Affected Versions:

Effort:

medium

Difficulty:

medium

Label:

Description

The subject is self-explained. If I send a HTTP Post request with gzipped Post body it doesnt get decompressed and cleartext inside could not be inspected by signatures.
Of course it is the IDS bypass technique.

Example signatures:
alert http any any -> any any (msg: "GZIPPED REQUEST"; flow: established, to_server; content: "name"; http_client_body; nocase; sid: 1; rev: 1; )
alert http any any -> any any (msg: "TO_SERVER |1F 8B|"; flow: established, to_server; content: "|1F 8B|"; http_client_body; sid: 2; rev: 1; )

Pcap Attached

Expectation: alert sid 1
Reality: alert sid 2

Files

gzip_post.pcap (1.23 KB) gzip_post.pcap

ajaxtpm ajaxtpm, 06/04/2018 04:55 PM

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

Suricata

Custom queries

Bug #2510

Suricata doesnt decompress HTTP Post body

AH Updated by Andreas Herz almost 8 years ago Actions
Copy link
#1

VJ Updated by Victor Julien over 7 years ago Actions
Copy link
#2

AA Updated by ajaxtpm ajaxtpm over 7 years ago Actions
Copy link
#3

VJ Updated by Victor Julien over 7 years ago Actions
Copy link
#4

VJ Updated by Victor Julien over 6 years ago Actions
Copy link
#5

VJ Updated by Victor Julien about 6 years ago Actions
Copy link
#6

PA Updated by Philippe Antoine about 6 years ago Actions
Copy link
#7

PA Updated by Philippe Antoine about 6 years ago Actions
Copy link
#8

PA Updated by Philippe Antoine over 5 years ago Actions
Copy link
#9

VJ Updated by Victor Julien over 5 years ago Actions
Copy link
#10

VJ Updated by Victor Julien over 5 years ago Actions
Copy link
#11

PA Updated by Philippe Antoine about 5 years ago Actions
Copy link
#12

VJ Updated by Victor Julien over 4 years ago Actions
Copy link
#13

Project

General

Profile

Suricata

Custom queries

Bug #2510

Suricata doesnt decompress HTTP Post body

AH Updated by Andreas Herz almost 8 years ago ActionsCopy link #1

VJ Updated by Victor Julien over 7 years ago ActionsCopy link #2

AA Updated by ajaxtpm ajaxtpm over 7 years ago ActionsCopy link #3

VJ Updated by Victor Julien over 7 years ago ActionsCopy link #4

VJ Updated by Victor Julien over 6 years ago ActionsCopy link #5

VJ Updated by Victor Julien about 6 years ago ActionsCopy link #6

PA Updated by Philippe Antoine about 6 years ago ActionsCopy link #7

PA Updated by Philippe Antoine about 6 years ago ActionsCopy link #8

PA Updated by Philippe Antoine over 5 years ago ActionsCopy link #9

VJ Updated by Victor Julien over 5 years ago ActionsCopy link #10

VJ Updated by Victor Julien over 5 years ago ActionsCopy link #11

PA Updated by Philippe Antoine about 5 years ago ActionsCopy link #12

VJ Updated by Victor Julien over 4 years ago ActionsCopy link #13

AH Updated by Andreas Herz almost 8 years ago Actions
Copy link
#1

VJ Updated by Victor Julien over 7 years ago Actions
Copy link
#2

AA Updated by ajaxtpm ajaxtpm over 7 years ago Actions
Copy link
#3

VJ Updated by Victor Julien over 7 years ago Actions
Copy link
#4

VJ Updated by Victor Julien over 6 years ago Actions
Copy link
#5

VJ Updated by Victor Julien about 6 years ago Actions
Copy link
#6

PA Updated by Philippe Antoine about 6 years ago Actions
Copy link
#7

PA Updated by Philippe Antoine about 6 years ago Actions
Copy link
#8

PA Updated by Philippe Antoine over 5 years ago Actions
Copy link
#9

VJ Updated by Victor Julien over 5 years ago Actions
Copy link
#10

VJ Updated by Victor Julien over 5 years ago Actions
Copy link
#11

PA Updated by Philippe Antoine about 5 years ago Actions
Copy link
#12

VJ Updated by Victor Julien over 4 years ago Actions
Copy link
#13