Solution: Because the snort data payload potentially contains binary data, it wouldn't be such a great idea to send that over email in a nastygram or to our in house engineering department, so the best solution to the problem we came to was to print out the HEX tuples. Below is the code that produces the solution.
# Above this are DB queries to OpenAanval
# idsMain.event.eid and idsMain.event.sid correspond
# to snort.data.cid and snort.data.sid respectfully
$dbh->do("use snort") or die "$!\n";
my $plh = $dbh->prepare("SELECT data_payload FROM data WHERE cid = '$e
+id' AND sid = '$sid' LIMIT 1");
$plh->execute() or die "$!\n";;
while( my @rows = $plh->fetchrow_array ){
$ea = $rows[0];
}
$plh->finish;
my $bit = 2; # size of gouping
for (my ($j,$i) = 0; $i < length($ea);$j+=$bit, $i++) {
if( $j+$bit <= length($ea) ) { #put into an array
$pd[$i] = substr($ea,$j,$bit);
} else { next; } # skip any errors
}
my $count = 0; # count for number of tuples in a row
foreach my $this (@pd){
next if (length($this) != 2); # skip errors from above
$eb .= "\n" if( (($count % 16) == 0) && ($count != 0) ); # ins
+ert cr/lf when 16 chars are printed
$eb .= "$this "; #cat this array entry
$count++;
}
##### Sample output (padded in comments ;)
#30 XX 02 01 00 04 08 73 33 35 XX 37 31 XX 62 A0
#2E 02 04 BE 41 XX 34 02 01 00 02 01 00 30 20 30
#0E 06 0A 2B 06 01 02 01 02 XX 01 0A XX 05 00 30
#0E XX 0A 2B 06 01 XX 01 02 02 01 10 03 05 00
##### XX inserted to protect the innocent
I hope this helps out. Below is this original posting and the corresponding thread.
amt
Update: The value for $ea is the number of ASCII characters (HEX pairs)
Gentlemen,
Although previously mentioned in this node,
Decoding snort/acid packet data, I am having difficulting decoding data_payload from the snort database in table data.
This segment is provided in the reply:
s/([a-fA-F0-9]{2,2})/chr(hex($1))/eg;.
This is the code segment that I have in my script:
$dbh->do("use snort");
my $plh = $dbh->prepare("SELECT data_payload FROM data WHERE cid = '$e
+id' AND sid = '$sid' LIMIT 1");
$plh->execute();
while( my @rows = $plh->fetchrow_array ){
$ea = $rows[0] =~ s/([a-fA-F0-9]{2,2})/chr(hex($1))/exg;
}
$plh->finish;
However, when I'm inserting $ea into an email, it returns 63, when the data is:
303D02010004087333357537316162A02E0204BE41C8340201000201003020300E060A2B060102010202010A030500300E060A2B0601020102020110030500
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.