Snort mailing list archives
Re: snort -r output (Absent jusqu'au 29/07/2002)
From: twig les <twigles () yahoo com>
Date: Mon, 21 Apr 2003 13:42:25 -0700 (PDT)
Dit is een engeltalige lijst. --- Pascal Painparay <pascal.painparay () tdf fr> wrote:
Je suis absent jusqu'au 21/04/03 inclus. En cas d'urgence, Vous pouvez contacter : Christophe Savin au 01 49 15 32 75. Cdt Pascal Painparaytwigles 04/21/03 19:50 >>>There is no quick and easy way to know the signifigance of a hex value in a packet dump without spending a lot of time looking at them. To learn about them get the Stephen Northcutt book "Network Intrusion Detection, Third Edition". As for the "........" you see, not everything can be translated into ASCII because not everything is ASCII. Hmmm, that sounds cryptic. Basically if a bit is flipped because the TCP session is established or something, then there is no alpha-numeric output, it is just a value represented in hex. If you don't want to cough up the cash for the book you can just start looking around the net for IP, TCP, UDP and ICMP packet formats. --- Tay Chee Yong <tcy () pacific net sg> wrote:Hi list, I am pretty new to snort, and i would like to find out howdoI decode the snort -r output? Could anyone tell me what does hex value stand for, and why are there "......."? Basically, I am trying to find out the patterns of the packets, so that I can match by the content in my rules. 04/21-16:02:57.719998 210.24.246.13:62764 ->203.120.90.33:53UDP TTL:124 TOS:0x0 ID:31492 IpLen:20 DgmLen:70 Len: 42 01 62 01 00 00 01 00 00 00 00 00 00 09 4D 41 52 .b...........MAR 4B 45 54 49 4E 47 07 61 6C 63 6F 74 65 63 00 00 KETING.alcotec.. 01 00 01 00 00 00 00 00 00 00 ..........
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Appreciate any advise. Thanks. Cheeyong ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo http://search.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo http://search.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: snort -r output (Absent jusqu'au 29/07/2002) twig les (Apr 21)