Project

General

Profile

Actions

Bug #2510

closed

Suricata doesnt decompress HTTP Post body

Added by ajaxtpm ajaxtpm over 6 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
medium
Difficulty:
medium
Label:

Description

The subject is self-explained. If I send a HTTP Post request with gzipped Post body it doesnt get decompressed and cleartext inside could not be inspected by signatures.
Of course it is the IDS bypass technique.

Example signatures:
alert http any any -> any any (msg: "GZIPPED REQUEST"; flow: established, to_server; content: "name"; http_client_body; nocase; sid: 1; rev: 1; )
alert http any any -> any any (msg: "TO_SERVER |1F 8B|"; flow: established, to_server; content: "|1F 8B|"; http_client_body; sid: 2; rev: 1; )

Pcap Attached

Expectation: alert sid 1
Reality: alert sid 2


Files

gzip_post.pcap (1.23 KB) gzip_post.pcap ajaxtpm ajaxtpm, 06/04/2018 04:55 PM

Related issues 1 (0 open1 closed)

Related to Suricata - Task #3479: libhtp 0.5.33 (4.1.x)ClosedPhilippe AntoineActions
Actions

Also available in: Atom PDF