Snort Package - Enable Flash & PDF decompression

kevross33

Hi,

As of Snort version 2.9.7.0 the HTTP pre-processor has allowed for decompression of flash and PDF files for better analysis of these.  I noticed however that these options however do not seem to be enabled in the snort pfsense package and given the preference for exploit kits to currently use flash it would be useful if these options were enabled by default.

http://blog.snort.org/2014/10/snort-297-has-been-released.html
"The HTTP Inspection preprocessor now has the ability to decompress
DEFLATE and LZMA compressed flash content and DEFLATE compressed PDF
content from http responses when configured with the new
decompress_swf and decompress_pdf options. This enhancement can be
used with existing rule options that already match against
decompressed equivalents."

Current Settings
        post_depth -1
        max_headers 0
        max_header_length 0
        max_spaces 0
        enable_xff
        enable_cookie
        normalize_cookies
        normalize_headers
        normalize_utf
        extended_response_inspection
        inspect_gzip
        unlimited_decompress
        normalize_javascript
        max_javascript_whitespaces 200
        log_uri
        log_hostname

Would need these added in:
decompress_swf
decompress_pdf

Thank you very much for providing this :)

Kind Regards,
Kevin Ross

bmeeks

Thanks for the heads-up.  I will add these new options in the next Snort update.

Bill

kevross33

Great, thanks. Just so you are aware it does require liblzma during compile for this option to work.

bmeeks

These two options will be available in the next Snort update which I'm working on now.  Should be ready in a few days. The options will be included as part of the HTTP_INSPECT window that opens when you edit an HTTP Server configuration from the PREPROCESSORS tab.

Bill

jeffhammett

@bmeeks:

These two options will be available in the next Snort update which I'm working on now.  Should be ready in a few days. The options will be included as part of the HTTP_INSPECT window that opens when you edit an HTTP Server configuration from the PREPROCESSORS tab.

Bill

Thanks! One question, why leave these options unchecked by default? Is it due to potential performance hits or is there something else that should be considered before enabling?

bmeeks

@jeffh:

@bmeeks:

These two options will be available in the next Snort update which I'm working on now.  Should be ready in a few days. The options will be included as part of the HTTP_INSPECT window that opens when you edit an HTTP Server configuration from the PREPROCESSORS tab.

Bill

Thanks! One question, why leave these options unchecked by default? Is it due to potential performance hits or is there something else that should be considered before enabling?

No particular reason other than since they were never there before, they were sort of by default "unchecked".  In retrospect I probably should have defaulted them to "checked" and will do so in the next update.

Bill