[Snort-users] snort -r output

twig les twigles at ...131...
Mon Apr 21 10:51:14 EDT 2003


There is no quick and easy way to know the signifigance of a hex
value in a packet dump without spending a lot of time looking at
them.  To learn about them get the Stephen Northcutt book
"Network Intrusion Detection, Third Edition".  As for the
"........" you see, not everything can be translated into ASCII
because not everything is ASCII.  Hmmm, that sounds cryptic. 
Basically if a bit is flipped because the TCP session is
established or something, then there is no alpha-numeric output,
it is just a value represented in hex.

If you don't want to cough up the cash for the book you can just
start looking around the net for IP, TCP, UDP and ICMP packet
formats.

--- Tay Chee Yong <tcy at ...8934...> wrote:
> Hi list,
> 
> I am pretty new to snort, and i would like to find out how do
> I decode the
> snort -r output?  Could anyone tell me what does hex value
> stand for, and
> why are there "......."?
> 
> Basically, I am trying to find out the patterns of the
> packets, so that I
> can match by the content in my rules.
> 
> 04/21-16:02:57.719998 210.24.246.13:62764 -> 203.120.90.33:53
> UDP TTL:124 TOS:0x0 ID:31492 IpLen:20 DgmLen:70
> Len: 42
> 01 62 01 00 00 01 00 00 00 00 00 00 09 4D 41 52 
> .b...........MAR
> 4B 45 54 49 4E 47 07 61 6C 63 6F 74 65 63 00 00 
> KETING.alcotec..
> 01 00 01 00 00 00 00 00 00 00                    ..........
> 
>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> Appreciate any advise.
> 
> Thanks.
> 
> Cheeyong
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com




More information about the Snort-users mailing list