[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Another question about the inspect_gzip option in
From: Bhagya Bantwal <bbantwal () sourcefire ! com>
Date: 2010-05-18 19:29:24
Message-ID: AANLkTinXa9nCFr66NJh2AK9h_CTXW-DUVDM8moHBg47v () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I agree. That must be a typo which will be fixed.
-B
On Tue, May 18, 2010 at 3:27 PM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt@gmail.com>wrote:
> Yes, this makes sense. Thank you Bhagyaa. So then should the manual
> read "To enable decompression of HTTP server response...."?
>
> -L0rd Ch0de1m0rt
>
> On Tue, May 18, 2010 at 1:23 PM, Bhagya Bantwal <bbantwal@sourcefire.com>
> wrote:
> > inspect_gzip will just decompress the compressed data and store it in a
> > different buffer.
> >
> > No compression in case of inline mode. So since we don't overwrite the
> > packet payload with decompressed data we dont need to compress the data
> > again.
> >
> > max_gzip_mem (as mentioned in the manual) along with decompress and
> compress
> > depths determines the maximum number of http sessions (with gzipped dat=
a)
> to
> > decompress. This is an optimization option. We dont want the system to
> run
> > out of memory trying to decompress all the compressed data.
> >
> >
> > Hope that helps.
> > -B
> >
> > On Tue, May 18, 2010 at 1:26 PM, L0rd Ch0de1m0rt <
> l0rdch0de1m0rt@gmail.com>
> > wrote:
> >>
> >> Hello. I have a simple question about the inspect_gzip option in
> >> Snort 2.8.6. I am reading in the manual where it says, on page 55 "To
> >> enable compression of HTTP server response, Snort should be configured
> >> with the =96enable-zlib flag." I thought that the inspect_gzip option
> >> just decompressed the gzip data for Snort, not compressed it. Or is
> >> for in-line Snort where the inspected gzipped data gets gzipped back
> >> up before being passed on? If so, why not just keep a copy of the
> >> original gzipped data in a separate buffer and forward that instead.
> >> I guess if you did that you'd have to drop the whole gzip buffer up to
> >> max_gzip_mem bytes on an IPS drop event. Or am I reading too much
> >> into this?
> >>
> >> Thanks.
> >>
> >> -L0rd Ch0de1m0rt
> >>
> >>
> >>
> -------------------------------------------------------------------------=
-----
> >>
> >> _______________________________________________
> >> Snort-sigs mailing list
> >> Snort-sigs@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> >
>
[Attachment #5 (text/html)]
I agree. That must be a typo which will be fixed.<br><br>-B<br><br><div \
class="gmail_quote">On Tue, May 18, 2010 at 3:27 PM, L0rd Ch0de1m0rt <span \
dir="ltr"><<a href="mailto:l0rdch0de1m0rt@gmail.com">l0rdch0de1m0rt@gmail.com</a>></span> \
wrote:<br> <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, \
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Yes, this makes sense. \
Thank you Bhagyaa. So then should the manual<br> read "To enable decompression \
of HTTP server response...."?<br> <font color="#888888"><br>
-L0rd Ch0de1m0rt<br>
</font><div class="im"><br>
On Tue, May 18, 2010 at 1:23 PM, Bhagya Bantwal <<a \
href="mailto:bbantwal@sourcefire.com">bbantwal@sourcefire.com</a>> wrote:<br> \
</div><div><div></div><div class="h5">> inspect_gzip will just decompress the \
compressed data and store it in a<br> > different buffer.<br>
><br>
> No compression in case of inline mode. So since we don't overwrite the<br>
> packet payload with decompressed data we dont need to compress the data<br>
> again.<br>
><br>
> max_gzip_mem (as mentioned in the manual) along with decompress and compress<br>
> depths determines the maximum number of http sessions (with gzipped data) to<br>
> decompress. This is an optimization option. We dont want the system to run<br>
> out of memory trying to decompress all the compressed data.<br>
><br>
><br>
> Hope that helps.<br>
> -B<br>
><br>
> On Tue, May 18, 2010 at 1:26 PM, L0rd Ch0de1m0rt <<a \
href="mailto:l0rdch0de1m0rt@gmail.com">l0rdch0de1m0rt@gmail.com</a>><br> > \
wrote:<br> >><br>
>> Hello. I have a simple question about the inspect_gzip option in<br>
>> Snort 2.8.6. I am reading in the manual where it says, on page 55 \
"To<br> >> enable compression of HTTP server response, Snort should be \
configured<br> >> with the –enable-zlib flag." I thought that the \
inspect_gzip option<br> >> just decompressed the gzip data for Snort, not \
compressed it. Or is<br> >> for in-line Snort where the inspected gzipped data \
gets gzipped back<br> >> up before being passed on? If so, why not just keep a \
copy of the<br> >> original gzipped data in a separate buffer and forward that \
instead.<br> >> I guess if you did that you'd have to drop the whole gzip \
buffer up to<br> >> max_gzip_mem bytes on an IPS drop event. Or am I reading \
too much<br> >> into this?<br>
>><br>
>> Thanks.<br>
>><br>
>> -L0rd Ch0de1m0rt<br>
>><br>
>><br>
>> ------------------------------------------------------------------------------<br>
>><br>
>> _______________________________________________<br>
>> Snort-sigs mailing list<br>
>> <a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@lists.sourceforge.net</a><br>
>> <a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br> \
><br> ><br>
</div></div></blockquote></div><br>
------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic