Feature #7846
open
rules/transform: add gunzip transform
Added by James Emery-Callcott 6 months ago.
Updated 1 day ago.
Description
We've seen many use cases in which we would love the ability to utilise some sort of gzip keyword/transformation to allow us to match content within that decompressed buffer. This should function similarly to how base64 keywords work.
A recent example saw a HTTP POST request with a base64 string parameter value. Once decoded, that base64 string contained a gzip compressed data blob which ended up being a malicious executable. Unfortunately, due to this limitation, we were only able to use base64 keywords and then write a signature on the gzip header.
This new feature would allow us to write signatures 1 layer deeper and to identify and differentiate between malicious and benign depending on what is found in that final layer.
ex.
gzip_decompress:relative; gzip_data; content:"blah";
Related issues
1 (1 open — 0 closed)
preferably, adding gzip decompression (gunzip) to the transformations would allow us to not only call transform any given buffer but also enable detection writers to transform carved buffers via pcrexform.
- Subject changed from add the ability to manually call gzip decompress on any buffer and use it with other keywords and transformations to rules/transform: add gunzip transform
I think this should be a regular transform and not use the old base64 pattern with base64_decode; base64_data;
Since decompression comes with some problems, we should be careful about imposing limits.
There should be global hard limits for max decompressed size, possibly also for the input to output ratio.
Then the rule should be able to specify the same settings. The rule limits may not exceed the global limits.
e.g.
# specify limits in the rule
file.data; gzip_decompress: max-size 1MiB, max-ratio 10; content:"MZ";
# use global limits
file.data; gzip_decompress; content:"MZ";
Other options that might make sense are around how many bytes to consider for decompression on the input size.
- Related to Feature #6922: Have a way to manually request decompression/inflate if headers are not present added
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Philippe Antoine
- Target version changed from TBD to 9.0.0-beta1
- Label Needs backport to 8.0 added
- Label deleted (
Needs backport to 8.0)
Would you have a pcap for testing ?
- Status changed from Assigned to In Review
Also available in: Atom
PDF