This question is likely gear towards Seth but I thought others on the list may have an answer or find the question useful too.
Is there a way to control how the file analysis framework handles HTTP compression? For example, if a PNG is transferred over HTTP with gzip compression, can I have Bro dump the gzip file instead of the PNG?
Are you sure that’s what you really want? In the case of gzip, deflate, etc encoded content, that encoding is actually part of the protocol it’s not really an aspect of the file. That’s how Bro currently handles things at least and seems to be the most sane option to me, but perhaps you have some compelling use case?
It’s absolutely the most sane case. As usual I have a specific use case in mind. When the gzip contents are corrupted I’d like to attempt to recover portions of whatever was transferred. I’ll try to find an example trace…
I may have just fixed the problem recently that you’re seeing. There is an issue where some web servers don’t set all of the deflate headers correctly and Bro has never dealt with this right, but I fixed it recently, I just have to find where I put it, I don’t think I ever pushed it out to git.
Does this sound like the problem you’re seeing?
Nevermind! I was looking at corrupted gzip content being transmitted over HTTP with gzip encoding. The HTTP encoding is handled properly by Bro. My content was the issue.