How to parse /usr/nr/var/log.* files on sensor or director

DSmirnov · ‎10-29-2001

Is anyway to decode the last field in /usr/nr/var/log.*?

If I understand correctly this is a payload triggered the signature.

4,1000131,2001/10/29,18:39:21,2001/10/29,10:39:21,10008,XX,XX,OUT,OUT,3,5160,0,T

CP/IP,XX.XX.XX.XX,XX.XX.XX.XX,2687,80,0.0.0.0,?M=A,7777772E31686F74626F782E6

36F6D2F3F443D410D0A4163636570742D4C616E67756167653A20656E2D75730D0A4163636570742

robert.lau · ‎10-29-2001

Bit o' code I use:

#include

int main(int argc, char *argv[])

{

string inLine, rbuf;

char tc[3];

string::iterator sit;

int nvalue;

cin >> inLine;

cout << endl;

// cout << "inLine: [" << inLine << "]" << endl;

rbuf = "";

tc[2] = '\0';

for (sit = inLine.begin(); sit != inLine.end(); sit++) {

tc[0] = *sit++;

if (sit == inLine.end())

break;

tc[1] = *sit;

nvalue = strtol(tc, NULL, 16);

// cout << "tc [" << tc << "] nvalue = " << nvalue << endl;

if ((nvalue > 1) && (nvalue < 32)) {

rbuf += '^';

rbuf += (char)(nvalue + 96);

} else if ((nvalue >= 32) && (nvalue <= 126)) {

rbuf += (char)nvalue;

} else {

rbuf += "\\0x";

rbuf += tc;

}

cout << " [" << rbuf << "]" << endl;

} // end of main

marcabal · ‎10-29-2001

This last field is what we call the Context Buffer.

It is Hex Representation of the characters.

Take two digits at a time and convert them to their character equivelant.

Refer to a chart that converts Hex to ASCII characters.

The "ZZ" is a special character we use to split the Context Buffer in two.

The first part of the buffer were characters from the source address, and the second half were characters from the destination.