Snort Package - Enable Flash & PDF decompression

kevross33 · Sep 5, 2015, 11:33 AM

Hi,

As of Snort version 2.9.7.0 the HTTP pre-processor has allowed for decompression of flash and PDF files for better analysis of these. I noticed however that these options however do not seem to be enabled in the snort pfsense package and given the preference for exploit kits to currently use flash it would be useful if these options were enabled by default.

http://blog.snort.org/2014/10/snort-297-has-been-released.html
"The HTTP Inspection preprocessor now has the ability to decompress
DEFLATE and LZMA compressed flash content and DEFLATE compressed PDF
content from http responses when configured with the new
decompress_swf and decompress_pdf options. This enhancement can be
used with existing rule options that already match against
decompressed equivalents."

Current Settings
post_depth -1
max_headers 0
max_header_length 0
max_spaces 0
enable_xff
enable_cookie
normalize_cookies
normalize_headers
normalize_utf
extended_response_inspection
inspect_gzip
unlimited_decompress
normalize_javascript
max_javascript_whitespaces 200
log_uri
log_hostname

Would need these added in:
decompress_swf
decompress_pdf

Thank you very much for providing this :)

Kind Regards,
Kevin Ross

bmeeks · Sep 9, 2015, 12:47 AM

Thanks for the heads-up. I will add these new options in the next Snort update.

Bill

kevross33 · Sep 10, 2015, 9:55 PM

Great, thanks. Just so you are aware it does require liblzma during compile for this option to work.

bmeeks · Nov 11, 2015, 12:19 AM

These two options will be available in the next Snort update which I'm working on now. Should be ready in a few days. The options will be included as part of the HTTP_INSPECT window that opens when you edit an HTTP Server configuration from the PREPROCESSORS tab.

Bill

jeffhammett · Dec 11, 2015, 4:36 AM

@bmeeks:

These two options will be available in the next Snort update which I'm working on now. Should be ready in a few days. The options will be included as part of the HTTP_INSPECT window that opens when you edit an HTTP Server configuration from the PREPROCESSORS tab.

Bill

Thanks! One question, why leave these options unchecked by default? Is it due to potential performance hits or is there something else that should be considered before enabling?

bmeeks · Dec 12, 2015, 4:23 AM

@jeffh:

@bmeeks:

These two options will be available in the next Snort update which I'm working on now. Should be ready in a few days. The options will be included as part of the HTTP_INSPECT window that opens when you edit an HTTP Server configuration from the PREPROCESSORS tab.

Bill

Thanks! One question, why leave these options unchecked by default? Is it due to potential performance hits or is there something else that should be considered before enabling?

No particular reason other than since they were never there before, they were sort of by default "unchecked". In retrospect I probably should have defaulted them to "checked" and will do so in the next update.

Bill