Feature #7846
closedrules/transform: add gunzip transform
Description
We've seen many use cases in which we would love the ability to utilise some sort of gzip keyword/transformation to allow us to match content within that decompressed buffer. This should function similarly to how base64 keywords work.
A recent example saw a HTTP POST request with a base64 string parameter value. Once decoded, that base64 string contained a gzip compressed data blob which ended up being a malicious executable. Unfortunately, due to this limitation, we were only able to use base64 keywords and then write a signature on the gzip header.
This new feature would allow us to write signatures 1 layer deeper and to identify and differentiate between malicious and benign depending on what is found in that final layer.
ex.
gzip_decompress:relative; gzip_data; content:"blah";
VJ Updated by Victor Julien 3 months ago
- Subject changed from add the ability to manually call gzip decompress on any buffer and use it with other keywords and transformations to rules/transform: add gunzip transform
VJ Updated by Victor Julien 3 months ago
I think this should be a regular transform and not use the old base64 pattern with base64_decode; base64_data;
Since decompression comes with some problems, we should be careful about imposing limits.
There should be global hard limits for max decompressed size, possibly also for the input to output ratio.
Then the rule should be able to specify the same settings. The rule limits may not exceed the global limits.
e.g.
# specify limits in the rule file.data; gzip_decompress: max-size 1MiB, max-ratio 10; content:"MZ"; # use global limits file.data; gzip_decompress; content:"MZ";
Other options that might make sense are around how many bytes to consider for decompression on the input size.
VJ Updated by Victor Julien 3 months ago
- Related to Feature #6922: Have a way to manually request decompression/inflate if headers are not present added
VJ Updated by Victor Julien 3 months ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Philippe Antoine
- Target version changed from TBD to 9.0.0-beta1
- Label Needs backport to 8.0 added
OT Updated by OISF Ticketbot 3 months ago
- Subtask #8235 added
OT Updated by OISF Ticketbot 3 months ago
- Label deleted (
Needs backport to 8.0)
PA Updated by Philippe Antoine 3 months ago
Would you have a pcap for testing ?
PA Updated by Philippe Antoine 2 months ago
- Status changed from Assigned to In Review
PA Updated by Philippe Antoine about 1 month ago
- Status changed from In Review to Resolved
VJ Updated by Victor Julien about 1 month ago
- Status changed from Resolved to Closed
VJ Updated by Victor Julien about 1 month ago
- Status changed from Closed to In Progress
Reopening to track a small change to the rule syntax. Instead of the non-standard max-size=8 we'll use the standard max-size 8.
PA Updated by Philippe Antoine about 1 month ago
- Status changed from In Progress to In Review
PA Updated by Philippe Antoine 28 days ago
PA Updated by Philippe Antoine 24 days ago
- Status changed from In Review to Closed