[Snort-sigs] Grabbing more content

Matt Kettler mkettler at ...189...
Tue Feb 14 16:38:01 EST 2006

Paul Schmehl wrote:
> --On Tuesday, February 14, 2006 18:19:46 -0500 Joel Esler
> <joel.esler at ...435...> wrote:
>> Paul,
>> That may be all there is in the packet.  Try running Snort in packet
>> dump mode (or tcpdump) along side Snort at the same time these  packets
>> are alerting your IDS.  Make sure you have snaplen set to 0 (- s 0), and
>> then compare the two.
>> That may be all there is.
>> Snort captures the full snaplen of the packet by default, so unless  you
>> want to use tag to get the whole session, whatever is in the  alert, is
>> what it is in the packet.
> Thanks, Joel.  I see now that every packet is terminated with a \r\n.
> The one packet I emailed to the list that had urlencoded content in it
> decodes to this:
> user=blah&pass=blah&SUBMIT=提交查询内容
> Does anyone have any idea what those strings mean?  What is #25552?  Or
> #20132?  Etc.?  They look almost like unicode.  Or HTML color codes.

Yes, they're unicode. Chinese from the looks of it.

There's a quick way to see what they decode as.. copy the number into
calculator, convert it to hex, and input the hex code into charmap's "go to
unicode" box.

Basic technique from:

Although in this case, we don't have to de-utf8 it, so you can copy-paste the
numeric part into calculator and jump to step 9.

Note: I had to tell charmap to use a "complete" font.. I found that XP's "MS UI
Gothic" worked well to include all the unicode characters.

More information about the Snort-sigs mailing list