Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How to parse /usr/nr/var/log.* files on sensor or director

Is anyway to decode the last field in /usr/nr/var/log.*?

If I understand correctly this is a payload triggered the signature.

4,1000131,2001/10/29,18:39:21,2001/10/29,10:39:21,10008,XX,XX,OUT,OUT,3,5160,0,T

CP/IP,XX.XX.XX.XX,XX.XX.XX.XX,2687,80,0.0.0.0,?M=A,7777772E31686F74626F782E6

36F6D2F3F443D410D0A4163636570742D4C616E67756167653A20656E2D75730D0A4163636570742

  • Other Security Subjects
2 REPLIES
New Member

Re: How to parse /usr/nr/var/log.* files on sensor or director

Bit o' code I use:

#include

#include

int main(int argc, char *argv[])

{

string inLine, rbuf;

char tc[3];

string::iterator sit;

int nvalue;

cin >> inLine;

cout << endl;

// cout << "inLine: [" << inLine << "]" << endl;

rbuf = "";

tc[2] = '\0';

for (sit = inLine.begin(); sit != inLine.end(); sit++) {

tc[0] = *sit++;

if (sit == inLine.end())

break;

tc[1] = *sit;

nvalue = strtol(tc, NULL, 16);

// cout << "tc [" << tc << "] nvalue = " << nvalue << endl;

if ((nvalue > 1) && (nvalue < 32)) {

rbuf += '^';

rbuf += (char)(nvalue + 96);

} else if ((nvalue >= 32) && (nvalue <= 126)) {

rbuf += (char)nvalue;

} else {

rbuf += "\\0x";

rbuf += tc;

}

}

cout << " [" << rbuf << "]" << endl;

} // end of main

Cisco Employee

Re: How to parse /usr/nr/var/log.* files on sensor or director

This last field is what we call the Context Buffer.

It is Hex Representation of the characters.

Take two digits at a time and convert them to their character equivelant.

Refer to a chart that converts Hex to ASCII characters.

Example chart: http://www.asciitable.com/

The "ZZ" is a special character we use to split the Context Buffer in two.

The first part of the buffer were characters from the source address, and the second half were characters from the destination.

225
Views
0
Helpful
2
Replies
This widget could not be displayed.