Feature #7846: add the ability to manually call gzip decompress on any buffer and use it with other keywords and transformations - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #7846

open

add the ability to manually call gzip decompress on any buffer and use it with other keywords and transformations

Added by James Emery-Callcott 4 days ago. Updated 2 days ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Effort:

Difficulty:

Label:

Description

We've seen many use cases in which we would love the ability to utilise some sort of gzip keyword/transformation to allow us to match content within that decompressed buffer. This should function similarly to how base64 keywords work.

A recent example saw a HTTP POST request with a base64 string parameter value. Once decoded, that base64 string contained a gzip compressed data blob which ended up being a malicious executable. Unfortunately, due to this limitation, we were only able to use base64 keywords and then write a signature on the gzip header.

This new feature would allow us to write signatures 1 layer deeper and to identify and differentiate between malicious and benign depending on what is found in that final layer.

ex.

gzip_decompress:relative; gzip_data; content:"blah";

Actions

Copy link

Updated by Stuart DC 2 days ago

preferably, adding gzip decompression (gunzip) to the transformations would allow us to not only call transform any given buffer but also enable detection writers to transform carved buffers via pcrexform.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #7846

add the ability to manually call gzip decompress on any buffer and use it with other keywords and transformations

Updated by Stuart DC 2 days ago