Re^3: Snort data_payload decoding

Nit: {2,2} is the same as {2}

unpack can do your hexifying quite nicely, so you end up with:

while (...) {
   my $raw_length = length($rows[0]);  # Formerly named $ea
   my $encoded = unpack('H*', $rows[0]);
   ...do something with these vars...
}
[download]

You could also use MIME::Base64, which results in a smaller output.

Comment on Re^3: Snort data_payload decoding Select or Download Code

Replies are listed 'Best First'.
Re^4: Snort data_payload decoding by amt (Monk) on Oct 14, 2004 at 16:23 UTC
[id://ikegami], I tried using MIME::Base64 to decode the stirng, and I got the string: ßMÃÓm5ÓM8ÓÎ÷ß}ùïûß^µë`4ØM6Ó;Ðß6Ó]4Óm5ÓMôÛMôÐM:Ð Ó5Óm5Óm6Ó [download] From the string: `303D02010004087333357537316162A02E0204870BAF350201000201003020300E060A +2B060102010202010A050500300E060A2B0601020102020110050500` [download] Ideally, I want it to look like something like this: `000 : 30 3D 02 01 00 04 08 73 33 35 75 37 31 61 62 A0 0=.....s35u71a +b. 010 : 2E 02 04 87 0B AF 35 02 01 00 02 01 00 30 20 30 ......5......0 + 0 020 : 0E 06 0A 2B 06 01 02 01 02 02 01 0A 05 05 00 30 ...+.......... +.0 030 : 0E 06 0A 2B 06 01 02 01 02 02 01 10 05 05 00 ...+.......... +.` [download] These are all from the same packet, the problem is that I can't pass the preformated test from OpenAanval, so I have to dig through the raw DB. amt. perlcheat	[reply] [d/l] [select]
Re^5: Snort data_payload decoding by ikegami (Patriarch) on Oct 14, 2004 at 16:32 UTC
oops! you're trying to decode! Switch unpack for pack. It's odd to decode before putting it into an email. Is binary data even allowed in emails? `while (...) { my $encoded = pack('H*', $rows[0]); my $raw_length = length($rows[0]); # Formerly named $ea ...do something with these vars... }` [download]	[reply] [d/l]
Re^6: Snort data_payload decoding by hsinclai (Deacon) on Oct 14, 2004 at 16:49 UTC
Is binary data even allowed in emails? Don't think so - if it were, we would not need Base64 encoding and all that tricky Mime business:)	[reply]