[Snort-sigs] Grabbing more content

Paul Schmehl pauls at ...1311...
Tue Feb 14 16:21:01 EST 2006


--On Tuesday, February 14, 2006 18:19:46 -0500 Joel Esler 
<joel.esler at ...435...> wrote:

> Paul,
>
> That may be all there is in the packet.  Try running Snort in packet
> dump mode (or tcpdump) along side Snort at the same time these  packets
> are alerting your IDS.  Make sure you have snaplen set to 0 (- s 0), and
> then compare the two.
>
> That may be all there is.
>
> Snort captures the full snaplen of the packet by default, so unless  you
> want to use tag to get the whole session, whatever is in the  alert, is
> what it is in the packet.
>
Thanks, Joel.  I see now that every packet is terminated with a \r\n.

The one packet I emailed to the list that had urlencoded content in it 
decodes to this:

user=blah&pass=blah&SUBMIT=提交查询内容

Does anyone have any idea what those strings mean?  What is #25552?  Or 
#20132?  Etc.?  They look almost like unicode.  Or HTML color codes.

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/




More information about the Snort-sigs mailing list