Suricata

This won't match. The content keyword is matched against the raw stream/payload, while the data is gzipped response body. So the right way to do this would be to have a keyword like "http_server_body" just like how we have "http_client_body" currently, and use it this way

alert tcp any any -> any any (content:implementation; http_server_body;)

which would now search the gunzip'ed server response body for the string "implementation"

We don't support such a keyword as yet. You can probably raise a feature request.

I think I misunderstood http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/82-suricata-beta-available then.

The page says 'Gzip Decompression - The HTP Parser will decode Gzip compressed streams, allowing much more detailed matching within the engine.' I thought it meant Suricata would unzip http requests which are zipped by mod_deflate. If I'm wrong then indeed it's not a bug and I should raise a feature request.

Sander Klein wrote:

I think I misunderstood http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/82-suricata-beta-available then.

The page says 'Gzip Decompression - The HTP Parser will decode Gzip compressed streams, allowing much more detailed matching within the engine.' I thought it meant Suricata would unzip http requests which are zipped by mod_deflate.

Your understanding is right here. Suricata does decompress the gzipped response(to be more precise, Suricata's http engine, libhtp, does the decompression), but it doesn't use this decompressed response to match against any keywords, since it currently has no keywords that inspects the response body.

If I'm wrong then indeed it's not a bug and I should raise a feature request.

Yes, it's not a bug, but a feature request for a new "keyword"(http_server_body probably), that would allow suricata to inspect the response body. Once we have such a keyword you can use it as "content:implementation; http_server_body;", following which this keyword would then inspect the deflated response for "implementation".