[Bro] How to use HTTP ZIP detection/conversion ?
rmkml
rmkml at free.fr
Sun May 18 17:29:38 PDT 2008
Hi Bro Workers,
Anyone how to extract zip on http stream and search (ids) on ?
example with this link with firefox browser:
http://www.milw0rm.com/exploits/5619
...
User-Agent: Mozilla/5.0 .....
...
Server: Apache
Content-Encoding: gzip
Vary: Accept-Encoding
...
same with wget:
...
User-Agent: Wget...
...
Server: Apache
...
example bro ids signature (snort like) work without encoding :
signature sid-92912 {
ip-proto == tcp
event "example IE Print Table of Links"
tcp-state established,responder
http-body /.*[hH][rR][eE][fF]\s*=(.){0,16}[hH][tT][tT][pP]\:(.){0,49}=[^>]*<\s*([jJ][aA][vV][aA])?[sS][cC][rR][iI][pP][tT]/
}
It is possible ?
Regards
Rmkml
Crusoe-Researches.com
More information about the Bro
mailing list