[Snort-sigs] Grabbing more content

Paul Schmehl pauls at ...1311...
Tue Feb 14 16:21:01 EST 2006

--On Tuesday, February 14, 2006 18:19:46 -0500 Joel Esler 
<joel.esler at ...435...> wrote:

> Paul,
> That may be all there is in the packet.  Try running Snort in packet
> dump mode (or tcpdump) along side Snort at the same time these  packets
> are alerting your IDS.  Make sure you have snaplen set to 0 (- s 0), and
> then compare the two.
> That may be all there is.
> Snort captures the full snaplen of the packet by default, so unless  you
> want to use tag to get the whole session, whatever is in the  alert, is
> what it is in the packet.
Thanks, Joel.  I see now that every packet is terminated with a \r\n.

The one packet I emailed to the list that had urlencoded content in it 
decodes to this:


Does anyone have any idea what those strings mean?  What is #25552?  Or 
#20132?  Etc.?  They look almost like unicode.  Or HTML color codes.

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-sigs mailing list