Project

General

Profile

Actions

Feature #6922

open

Have a way to manually request decompression/inflate if headers are not present

Added by Jason Taylor 9 months ago. Updated 9 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

This is a follow up from a discord discussion here:
https://discord.com/channels/864648830553292840/906009559276081182/1225415703675539556

The sample I was looking at (03f80949b6a0d5148c4e0d0557175131) gzip's the json data that is put into the request body prior to sending the data. The requisite http headers are not set to have libhtp decompress the body. It would be nice to be able to have a keyword or transform to uncompress/inflate the data for content matching.

The pcap from one of the virustotal sandbox run is attached.


Files

Actions #1

Updated by Victor Julien 9 months ago

I could think of 2 ways to approach a feature like this:

1. as a transform, e.g. "decompress_gzip" or something. However this would only work for the start of the body, as we need a gzip header of the compressed data

2. a "config" directive, e.g. something like
config http1 any any -> any any (... config:force decompress_gzip, scope tx;)
However here we'd run into the problem that this rule may run too late and normal body processing may have already started.

I guess a 3rd way could be to just probe the body regardless of http headers, and try to decompress it if it appears to be gzip. I wonder if this could open the door to false negatives though. Insert a fake gzip header and confuse suri.

Actions

Also available in: Atom PDF