Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BASE Payload Search

From: "Jeffrey Denton" <dentonj () gmail com>
Date: Thu, 5 Jul 2007 15:07:07 +0200
On 7/5/07, Humes, David G. <David.Humes () jhuapl edu> wrote:


Hey Everyone,
We use BASE for watching our Snort alerts, and would really like to be able
to do a payload search.   But it does not appear to work. I saw some early
posts about this on the BASE list saying that it never worked in ACID.  Does
anyone have this working?  I'm running BASE 1.3.6.  I've already posted this
on the BASE list and haven't received any replies.  I though it might get a
little more visibility over here.  My process flow for searching is:


It works for me(TM).  I'm using Base 1.3.6.

Input Criteria Encoding Type: ascii
Convert To (when searching): hex
has USER

Where USER is the string I'm searching for.  Sometimes it's easier to
search using hex.

Input Criteria Encoding Type: hex
Convert To (when searching): hex
has 55534552

Where 55534552 is the search string.  Notice there are no spaces
between the hex numbers.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: