[Bro] HTTP plus Compression File Extraction

anthony kasza anthony.kasza at gmail.com
Sat Apr 25 21:54:46 PDT 2015


It's absolutely the most sane case. As usual I have a specific use case in
mind. When the gzip contents are corrupted I'd like to attempt to recover
portions of whatever was transferred. I'll try to find an example trace...

-AK
On Apr 25, 2015 6:12 PM, "Seth Hall" <seth at icir.org> wrote:

>
> > On Apr 25, 2015, at 1:16 AM, anthony kasza <anthony.kasza at gmail.com>
> wrote:
> >
> > Is there a way to control how the file analysis framework handles HTTP
> compression? For example, if a PNG is transferred over HTTP with gzip
> compression, can I have Bro dump the gzip file instead of the PNG?
>
> Are you sure that’s what you really want?  In the case of gzip, deflate,
> etc encoded content, that encoding is actually part of the protocol it’s
> not really an aspect of the file.  That’s how Bro currently handles things
> at least and seems to be the most sane option to me, but perhaps you have
> some compelling use case?
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150425/82f875ec/attachment.html 


More information about the Bro mailing list