in reply to Snort data_payload decoding

This line 
$ea = $rows[0] =~ s/([a-fA-F0-9]{2,2})/chr(hex($1))/exg;

[download]
converts $rows[0] to binary data represented by the hexadecimal pairs, and sets $ea to the number of replace actions done by s///. It sounds like you want to store $rows[0] somewhere, to use later.

Also, you can use pack() for this: 

  $string = pack "H*",$rows[0];

[download]
Note: The data you present contain unprintable characters in ASCII, so mailing them around in plain text is probably not a good idea.

"What should it profit a man, if he should win a flame war, yet lose his cool?"

Replies are listed 'Best First'.
Re^2: Snort data_payload decoding
by amt (Monk) on Oct 14, 2004 at 15:12 UTC
    [id://Joost], this script is intended to email our engineering group the payload data from an IDS signature. So, yes, I do intend on saving the data and passing it along in the email.

    Thinking about it, would it be just as useful to chop the HEX string into a neater tuple presentation.

    amt.

    perlcheat
[reply]

      Nit: {2,2} is the same as {2}

      unpack can do your hexifying quite nicely, so you end up with:

      while (...) {
   my $raw_length = length($rows[0]);  # Formerly named $ea
   my $encoded = unpack('H*', $rows[0]);
   ...do something with these vars...
}

      [download]

      You could also use MIME::Base64, which results in a smaller output.

[reply]
[d/l]
[select]
        [id://ikegami], I tried using MIME::Base64 to decode the stirng, and I got the string: 
        Mm5M8}^`4M6ӏ;ߝ6]4m5MMM:
ӭ5m5m6

        [download]

        From the string:
        303D02010004087333357537316162A02E0204870BAF350201000201003020300E060A
+2B060102010202010A050500300E060A2B0601020102020110050500

        [download]

        Ideally, I want it to look like something like this: 
        000 : 30 3D 02 01 00 04 08 73 33 35 75 37 31 61 62 A0   0=.....s35u71a
+b.
010 : 2E 02 04 87 0B AF 35 02 01 00 02 01 00 30 20 30   ......5......0
+ 0
020 : 0E 06 0A 2B 06 01 02 01 02 02 01 0A 05 05 00 30   ...+..........
+.0
030 : 0E 06 0A 2B 06 01 02 01 02 02 01 10 05 05 00      ...+..........
+.

        [download]


        These are all from the same packet, the problem is that I can't pass the preformated test from OpenAanval, so I have to dig through the raw DB.

        amt.

        perlcheat
[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom