Feature #6922
open
Have a way to manually request decompression/inflate if headers are not present
Added by Jason Taylor 4 months ago.
Updated 4 months ago.
Description
This is a follow up from a discord discussion here:
https://discord.com/channels/864648830553292840/906009559276081182/1225415703675539556
The sample I was looking at (03f80949b6a0d5148c4e0d0557175131) gzip's the json data that is put into the request body prior to sending the data. The requisite http headers are not set to have libhtp decompress the body. It would be nice to be able to have a keyword or transform to uncompress/inflate the data for content matching.
The pcap from one of the virustotal sandbox run is attached.
Files
I could think of 2 ways to approach a feature like this:
1. as a transform, e.g. "decompress_gzip" or something. However this would only work for the start of the body, as we need a gzip header of the compressed data
2. a "config" directive, e.g. something like
config http1 any any -> any any (... config:force decompress_gzip, scope tx;)
However here we'd run into the problem that this rule may run too late and normal body processing may have already started.
I guess a 3rd way could be to just probe the body regardless of http headers, and try to decompress it if it appears to be gzip. I wonder if this could open the door to false negatives though. Insert a fake gzip header and confuse suri.
Also available in: Atom
PDF