Snort Package - Enable Flash & PDF decompression



  • Hi,

    As of Snort version 2.9.7.0 the HTTP pre-processor has allowed for decompression of flash and PDF files for better analysis of these.  I noticed however that these options however do not seem to be enabled in the snort pfsense package and given the preference for exploit kits to currently use flash it would be useful if these options were enabled by default.

    http://blog.snort.org/2014/10/snort-297-has-been-released.html
    "The HTTP Inspection preprocessor now has the ability to decompress
    DEFLATE and LZMA compressed flash content and DEFLATE compressed PDF
    content from http responses when configured with the new
    decompress_swf and decompress_pdf options. This enhancement can be
    used with existing rule options that already match against
    decompressed equivalents."

    Current Settings
            post_depth -1
            max_headers 0
            max_header_length 0
            max_spaces 0
            enable_xff
            enable_cookie
            normalize_cookies
            normalize_headers
            normalize_utf
            extended_response_inspection
            inspect_gzip
            unlimited_decompress
            normalize_javascript
            max_javascript_whitespaces 200
            log_uri
            log_hostname

    Would need these added in:
    decompress_swf
    decompress_pdf

    Thank you very much for providing this :)

    Kind Regards,
    Kevin Ross



  • Thanks for the heads-up.  I will add these new options in the next Snort update.

    Bill



  • Great, thanks. Just so you are aware it does require liblzma during compile for this option to work.



  • These two options will be available in the next Snort update which I'm working on now.  Should be ready in a few days. The options will be included as part of the HTTP_INSPECT window that opens when you edit an HTTP Server configuration from the PREPROCESSORS tab.

    Bill



  • @bmeeks:

    These two options will be available in the next Snort update which I'm working on now.  Should be ready in a few days. The options will be included as part of the HTTP_INSPECT window that opens when you edit an HTTP Server configuration from the PREPROCESSORS tab.

    Bill

    Thanks! One question, why leave these options unchecked by default? Is it due to potential performance hits or is there something else that should be considered before enabling?



  • @jeffh:

    @bmeeks:

    These two options will be available in the next Snort update which I'm working on now.  Should be ready in a few days. The options will be included as part of the HTTP_INSPECT window that opens when you edit an HTTP Server configuration from the PREPROCESSORS tab.

    Bill

    Thanks! One question, why leave these options unchecked by default? Is it due to potential performance hits or is there something else that should be considered before enabling?

    No particular reason other than since they were never there before, they were sort of by default "unchecked".  In retrospect I probably should have defaulted them to "checked" and will do so in the next update.

    Bill


Log in to reply