[Snort-users] Re: help us help you

Brian bmc at ...950...
Tue Nov 2 09:35:34 EST 2004


On Mon, Nov 01, 2004 at 05:30:09PM -0500, Brian wrote:
> Are you in a sensitive environment and just can't get that packet
> payload to me?  Well, I can still use your help.  Run the packet
> payload for each alert through the attached perl script, and send me
> the output.

If you are going to be running your output through my parser, please
use the new parser, which is attached to this email.

Brian
-------------- next part --------------
#!/usr/bin/perl
#

my $bin;
while (<STDIN>) {
    if ($_ =~ /^((?:\w{2}\s){1,16})\s/) {
        my $string = $1;
        $string =~ s/\s+//g;
        $string =~ s/([a-f0-9]{2})/pack("C",hex($1))/ieg;
        $bin .= $string;
    }
}
my @commands;
if (substr($bin, 8, 1) =~ /(\x2f|\xa2|\x73|\x2d|\x74|\x2e|\x24|\x75)/) {
    push (@commands, $1);
    my $base = 32;
    while (1) {
        my $command = substr($bin, $base + 5, 1);
        $base = unpack("v", substr($bin, $base + 7, 2));
        push (@commands, $command);
        last if ($command !~ /(\x2f|\xa2|\x73|\x2d|\x74|\x2e|\x24|\x75)/);
        last if ($command eq "\xff");
    }
}

foreach my $cmd (@commands) {
   printf("%2.2X\n", unpack("C",$cmd));
}

__DATA__
00 00 00 85 FF 53 4D 42 73 00 00 00 00 18 07 48  .....SMBs......H
00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE  ................
00 00 40 00 0D 75 00 64 00 FF FF 32 00 00 00 1F  .. at ...12620...
06 00 00 01 00 00 00 00 00 00 00 D4 00 00 00 27  ...............'
00 00 00 00 57 69 6E 64 6F 77 73 20 32 30 30 30  ....Windows 2000
20 32 31 39 35 00 57 69 6E 64 6F 77 73 20 32 30   2195.Windows 20
30 30 20 35 2E 30 00 00 04 FF 00 85 00 08 00 01  00 5.0..........
00 16 00 00 5C 5C 48 41 42 55 2D 49 49 5C 49 50  ....\\HABU-II\IP
43 24 00 3F 3F 3F 3F 3F 00                       C$.?????.



More information about the Snort-users mailing list