[Bro] HTTP plus Compression File Extraction

anthony kasza anthony.kasza at gmail.com
Sat Apr 25 21:54:46 PDT 2015

It's absolutely the most sane case. As usual I have a specific use case in
mind. When the gzip contents are corrupted I'd like to attempt to recover
portions of whatever was transferred. I'll try to find an example trace...

On Apr 25, 2015 6:12 PM, "Seth Hall" <seth at icir.org> wrote:

> > On Apr 25, 2015, at 1:16 AM, anthony kasza <anthony.kasza at gmail.com>
> wrote:
> >
> > Is there a way to control how the file analysis framework handles HTTP
> compression? For example, if a PNG is transferred over HTTP with gzip
> compression, can I have Bro dump the gzip file instead of the PNG?
> Are you sure that’s what you really want?  In the case of gzip, deflate,
> etc encoded content, that encoding is actually part of the protocol it’s
> not really an aspect of the file.  That’s how Bro currently handles things
> at least and seems to be the most sane option to me, but perhaps you have
> some compelling use case?
>   .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150425/82f875ec/attachment.html 

More information about the Bro mailing list