amt has asked for the wisdom of the Perl Monks concerning the following question:

Solution: Because the snort data payload potentially contains binary data, it wouldn't be such a great idea to send that over email in a nastygram or to our in house engineering department, so the best solution to the problem we came to was to print out the HEX tuples. Below is the code that produces the solution.
# Above this are DB queries to OpenAanval
# idsMain.event.eid and idsMain.event.sid correspond
# to snort.data.cid and snort.data.sid respectfully

$dbh->do("use snort") or die "$!\n";
my $plh = $dbh->prepare("SELECT data_payload FROM data WHERE cid = '$e
+id' AND sid = '$sid' LIMIT 1");
$plh->execute() or die "$!\n";;

while( my @rows = $plh->fetchrow_array ){
        $ea = $rows[0];
}
$plh->finish;

my $bit = 2;      # size of gouping
for (my ($j,$i) = 0; $i < length($ea);$j+=$bit, $i++) {
        if( $j+$bit <= length($ea) ) {  #put into an array
                $pd[$i] = substr($ea,$j,$bit);
        } else { next; }  # skip any errors
}

my $count = 0;    # count for number of tuples in a row
foreach my $this (@pd){
        next if (length($this) != 2); # skip errors from above
        $eb .= "\n" if( (($count % 16) == 0) && ($count != 0) ); # ins
+ert cr/lf when 16 chars are printed
        $eb .= "$this "; #cat this array entry
        $count++; 
}

##### Sample output (padded in comments ;)
#30 XX 02 01 00 04 08 73 33 35 XX 37 31 XX 62 A0 
#2E 02 04 BE 41 XX 34 02 01 00 02 01 00 30 20 30 
#0E 06 0A 2B 06 01 02 01 02 XX 01 0A XX 05 00 30 
#0E XX 0A 2B 06 01 XX 01 02 02 01 10 03 05 00 
##### XX inserted to protect the innocent

[download]

I hope this helps out. Below is this original posting and the corresponding thread.

amt

Update: The value for $ea is the number of ASCII characters (HEX pairs)

Gentlemen,

Although previously mentioned in this node, Decoding snort/acid packet data, I am having difficulting decoding data_payload from the snort database in table data.

This segment is provided in the reply:s/([a-fA-F0-9]{2,2})/chr(hex($1))/eg;.

This is the code segment that I have in my script:
$dbh->do("use snort");
my $plh = $dbh->prepare("SELECT data_payload FROM data WHERE cid = '$e
+id' AND sid = '$sid' LIMIT 1");
$plh->execute();
while( my @rows = $plh->fetchrow_array ){
        $ea = $rows[0] =~ s/([a-fA-F0-9]{2,2})/chr(hex($1))/exg;
}
$plh->finish;

[download]

However, when I'm inserting $ea into an email, it returns 63, when the data is: 303D02010004087333357537316162A02E0204BE41C8340201000201003020300E060A2B060102010202010A030500300E060A2B0601020102020110030500
amt.

perlcheat

Replies are listed 'Best First'.
Re: Snort data_payload decoding
by Joost (Canon) on Oct 14, 2004 at 14:56 UTC
    This line 
    $ea = $rows[0] =~ s/([a-fA-F0-9]{2,2})/chr(hex($1))/exg;

    [download]
    converts $rows[0] to binary data represented by the hexadecimal pairs, and sets $ea to the number of replace actions done by s///. It sounds like you want to store $rows[0] somewhere, to use later.

    Also, you can use pack() for this: 

      $string = pack "H*",$rows[0];

    [download]
    Note: The data you present contain unprintable characters in ASCII, so mailing them around in plain text is probably not a good idea.

    "What should it profit a man, if he should win a flame war, yet lose his cool?"
[reply]
[d/l]
[select]
      [id://Joost], this script is intended to email our engineering group the payload data from an IDS signature. So, yes, I do intend on saving the data and passing it along in the email.

      Thinking about it, would it be just as useful to chop the HEX string into a neater tuple presentation.

      amt.

      perlcheat
[reply]

        Nit: {2,2} is the same as {2}

        unpack can do your hexifying quite nicely, so you end up with:

        while (...) {
   my $raw_length = length($rows[0]);  # Formerly named $ea
   my $encoded = unpack('H*', $rows[0]);
   ...do something with these vars...
}

        [download]

        You could also use MIME::Base64, which results in a smaller output.

[reply]
[d/l]
[select]

Back to Seekers of Perl Wisdom