Feature #7846
closedrules/transform: add gunzip transform
Description
We've seen many use cases in which we would love the ability to utilise some sort of gzip keyword/transformation to allow us to match content within that decompressed buffer. This should function similarly to how base64 keywords work.
A recent example saw a HTTP POST request with a base64 string parameter value. Once decoded, that base64 string contained a gzip compressed data blob which ended up being a malicious executable. Unfortunately, due to this limitation, we were only able to use base64 keywords and then write a signature on the gzip header.
This new feature would allow us to write signatures 1 layer deeper and to identify and differentiate between malicious and benign depending on what is found in that final layer.
ex.
gzip_decompress:relative; gzip_data; content:"blah";