Project

General

Profile

Actions
Copy link

Feature #6922

open
JT OD

Have a way to manually request decompression/inflate if headers are not present

Feature #6922: Have a way to manually request decompression/inflate if headers are not present

Added by Jason Taylor about 2 years ago. Updated about 2 years ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

This is a follow up from a discord discussion here:
https://discord.com/channels/864648830553292840/906009559276081182/1225415703675539556

The sample I was looking at (03f80949b6a0d5148c4e0d0557175131) gzip's the json data that is put into the request body prior to sending the data. The requisite http headers are not set to have libhtp decompress the body. It would be nice to be able to have a keyword or transform to uncompress/inflate the data for content matching.

The pcap from one of the virustotal sandbox run is attached.

Files

5f9c156ac89f910b527a71ae3395006cfe2c8d2fce6ba4712b324149f0707f1f_Zenbox.pcap (1.77 MB) 5f9c156ac89f910b527a71ae3395006cfe2c8d2fce6ba4712b324149f0707f1f_Zenbox.pcap Jason Taylor, 04/05/2024 01:01 PM

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #7846: rules/transform: add gunzip transformClosedPhilippe AntoineActions
Actions
Copy link

Also available in: PDF Atom