[Snort-devel] extracting data_payload data

roman at ...49... roman at ...49...
Wed Jan 9 19:15:02 EST 2002


Peter,
 
The data_payload column stores the packet payload.  Snort allows a number
of different encoding formats for this binary data.  Take a look at
README.database in the snort distribution for more detail.

encoding=ascii : all bytes which represent printable characters are
included; non-printable characters are converted '.'
 
e.g.: 01 41 0D   =>  .A.
      |------|       |-|
       |              |-- 3-bytes stored in data_payload
       3-bytes from the packet payload

encoding=hex : all bytes are converted into a two-character string of the
corresponding hex digit.
 
e.g.: 01 41 0D   => 01410D
      |------|      |----|
       |             |-- 6-bytes stored in data_payload
       3-bytes from the packet payload
 
Hex encoding is the only way to store the entire payload unmodified and   
provide efficient searching ability on the data.

cheers,
Roman

On Mon, 24 Dec 2001, Peter Moore wrote:

> greetings snorters,
> i am logging Snort data to PostrgreSQL and the output directive is:
> output database: alert, postgresql, host=xxx.xxx.xxx.xxx user=myuser dbname=
> snort sensor_name=xxx.xxx.xxx.xxx detail=full encoding=ascii
>
> i have a question on the data being logged to the data table; specifically
> the data_payload column.
> As you can see from the above output directive i am using ascii encoding and
> if you look at the SQL query below the results show the data_payload column
> to have undecipherable data in it.
>
> Any clues? i am looking to refine Snort Monitor so that i can double click on
> an alert and retrieve the underlying data_payload. (ie more detail).
>
> Should i be using hex encoding to store the data? If so, how do i extract it
> into "human readable format"??
>
> Sorry for the questions but i am interested in building a very good product
> which can all use....well if we all use BeOS :P
> If there's an FAQ i have missed please point my in that direction.
>
> Snort SQL and resultset follow.
> If anyone wants me to write some SQL queries for them, just drop me a line as
> i am Sybase DBA and developer (amongst other things) in the real world.
> cheers
> peter
> *******************************************
> Peter Moore
> 
> peter at ...799...
> http://beos.loved.com/
> ICQ 926967 (old) 95022055 (new - Oct 18, 2000)
> *******************************************
> 
> select event.sid, event.cid, signature.sig_name, data.data_payload
> from event, iphdr, signature, data
> where event.cid = iphdr.cid
> and event.sid = iphdr.sid
> and event.cid = data.cid
> and event.sid = data.sid
> and event.cid = 524
> and signature.sig_id = event.signature
> order by timestamp desc
> 
> 
> sid | cid |                                 sig_name
> |                                         data_payload
> -----+-----+-----------------------------------------------------------------
> ---------+---------------------------------------------
>   5 | 524 | ICMP Destination Unreachable (Communication Administratively
> Prohibited) | ....E..(b.....V....S.m...{.P(7H9
> 
> snort=#



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






More information about the Snort-devel mailing list