[Bro] How to use HTTP ZIP detection/conversion ?

rmkml rmkml at free.fr
Sun May 18 17:29:38 PDT 2008

Hi Bro Workers,
Anyone how to extract zip on http stream and search (ids) on ?
example with this link with firefox browser:
  User-Agent: Mozilla/5.0 .....
  Server: Apache
  Content-Encoding: gzip
  Vary: Accept-Encoding
same with wget:
  User-Agent: Wget...
  Server: Apache

example bro ids signature (snort like) work without encoding :
signature sid-92912 {
   ip-proto == tcp
   event "example IE Print Table of Links"
   tcp-state established,responder
   http-body /.*[hH][rR][eE][fF]\s*=(.){0,16}[hH][tT][tT][pP]\:(.){0,49}=[^>]*<\s*([jJ][aA][vV][aA])?[sS][cC][rR][iI][pP][tT]/

It is possible ?

More information about the Bro mailing list