[Snort-sigs] Grabbing more content
mkettler at ...189...
Tue Feb 14 16:38:01 EST 2006
Paul Schmehl wrote:
> --On Tuesday, February 14, 2006 18:19:46 -0500 Joel Esler
> <joel.esler at ...435...> wrote:
>> That may be all there is in the packet. Try running Snort in packet
>> dump mode (or tcpdump) along side Snort at the same time these packets
>> are alerting your IDS. Make sure you have snaplen set to 0 (- s 0), and
>> then compare the two.
>> That may be all there is.
>> Snort captures the full snaplen of the packet by default, so unless you
>> want to use tag to get the whole session, whatever is in the alert, is
>> what it is in the packet.
> Thanks, Joel. I see now that every packet is terminated with a \r\n.
> The one packet I emailed to the list that had urlencoded content in it
> decodes to this:
> Does anyone have any idea what those strings mean? What is #25552? Or
> #20132? Etc.? They look almost like unicode. Or HTML color codes.
Yes, they're unicode. Chinese from the looks of it.
There's a quick way to see what they decode as.. copy the number into
calculator, convert it to hex, and input the hex code into charmap's "go to
Basic technique from:
Although in this case, we don't have to de-utf8 it, so you can copy-paste the
numeric part into calculator and jump to step 9.
Note: I had to tell charmap to use a "complete" font.. I found that XP's "MS UI
Gothic" worked well to include all the unicode characters.
More information about the Snort-sigs