10-29-2001 08:48 AM - edited 03-08-2019 08:59 PM
Is anyway to decode the last field in /usr/nr/var/log.*?
If I understand correctly this is a payload triggered the signature.
4,1000131,2001/10/29,18:39:21,2001/10/29,10:39:21,10008,XX,XX,OUT,OUT,3,5160,0,T
CP/IP,XX.XX.XX.XX,XX.XX.XX.XX,2687,80,0.0.0.0,?M=A,7777772E31686F74626F782E6
36F6D2F3F443D410D0A4163636570742D4C616E67756167653A20656E2D75730D0A4163636570742
10-29-2001 08:48 AM
Bit o' code I use:
#include
#include
int main(int argc, char *argv[])
{
string inLine, rbuf;
char tc[3];
string::iterator sit;
int nvalue;
cin >> inLine;
cout << endl;
// cout << "inLine: [" << inLine << "]" << endl;
rbuf = "";
tc[2] = '\0';
for (sit = inLine.begin(); sit != inLine.end(); sit++) {
tc[0] = *sit++;
if (sit == inLine.end())
break;
tc[1] = *sit;
nvalue = strtol(tc, NULL, 16);
// cout << "tc [" << tc << "] nvalue = " << nvalue << endl;
if ((nvalue > 1) && (nvalue < 32)) {
rbuf += '^';
rbuf += (char)(nvalue + 96);
} else if ((nvalue >= 32) && (nvalue <= 126)) {
rbuf += (char)nvalue;
} else {
rbuf += "\\0x";
rbuf += tc;
}
}
cout << " [" << rbuf << "]" << endl;
} // end of main
10-29-2001 08:48 AM
This last field is what we call the Context Buffer.
It is Hex Representation of the characters.
Take two digits at a time and convert them to their character equivelant.
Refer to a chart that converts Hex to ASCII characters.
Example chart: http://www.asciitable.com/
The "ZZ" is a special character we use to split the Context Buffer in two.
The first part of the buffer were characters from the source address, and the second half were characters from the destination.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide