Feature #7846
openrules/transform: add gunzip transform
Description
We've seen many use cases in which we would love the ability to utilise some sort of gzip keyword/transformation to allow us to match content within that decompressed buffer. This should function similarly to how base64 keywords work.
A recent example saw a HTTP POST request with a base64 string parameter value. Once decoded, that base64 string contained a gzip compressed data blob which ended up being a malicious executable. Unfortunately, due to this limitation, we were only able to use base64 keywords and then write a signature on the gzip header.
This new feature would allow us to write signatures 1 layer deeper and to identify and differentiate between malicious and benign depending on what is found in that final layer.
ex.
gzip_decompress:relative; gzip_data; content:"blah";
Updated by Victor Julien 8 days ago
- Subject changed from add the ability to manually call gzip decompress on any buffer and use it with other keywords and transformations to rules/transform: add gunzip transform
Updated by Victor Julien 8 days ago
I think this should be a regular transform and not use the old base64 pattern with base64_decode; base64_data;
Since decompression comes with some problems, we should be careful about imposing limits.
There should be global hard limits for max decompressed size, possibly also for the input to output ratio.
Then the rule should be able to specify the same settings. The rule limits may not exceed the global limits.
e.g.
# specify limits in the rule file.data; gzip_decompress: max-size 1MiB, max-ratio 10; content:"MZ"; # use global limits file.data; gzip_decompress; content:"MZ";
Other options that might make sense are around how many bytes to consider for decompression on the input size.