#14 Payload search

BASE
closed-invalid
nobody
Database (41)
2
2005-02-12
2005-02-01
Kevin Johnson
No

Whenever I specify a criteria to search against the
payload data, the results returns empty. I submitted a
query in the payload section for anything that has the
word "http" but results were null.
Browsing through the payload data I observed a least
400 alerts within the payload packet with that word
listed.

Is this a bug with 1.0.1 ?

Query written as
1. No encoding, No convert
2. (,has, http,) <- commas indicate fields
3. QueryDB

Discussion

  • Joel Esler
    Joel Esler
    2005-02-02

    • milestone: --> BASE
     
  • Logged In: YES
    user_id=1208670

    If you don't specify the Encoding or what to conver to, the
    input will be treated as native on database. I mean, if you
    search for (,has, http,) and the payload is stored in HEX,
    you'll get no results. So, you'll have to 'Convert to: HEX'.
    What encoding are you using in the database?

     
  • Joel Esler
    Joel Esler
    2005-02-04

    Logged In: YES
    user_id=853584

    If you are using Hex encoding I have found that searching
    for a "hex string" i.e. 00 0a 02 aj 93... etc something
    like that. will work fine.

     
  • Joel Esler
    Joel Esler
    2005-02-04

    • priority: 4 --> 2
     
  • hamo
    hamo
    2005-02-04

    Logged In: YES
    user_id=1127514

    Is it posibble to make it simplier instead of converting to HEX
    everytime I need to look for specific data?. It would be
    appreciated and much easier for anyone using BASE rather
    than converting the word(s) to HEX to search for data.

     
  • Logged In: YES
    user_id=1208670

    Well, I've tested in all ways. It will always depend on what
    encoding you're using in your database. The input criteria
    must be in the same encoding your database is using,
    otherwise you'll need to convert it.
    The input criteria will be checked against the payload, so
    they must be in the same encoding. If you want to search
    'http', and your database is in HEX, you must set 'Convert
    to->HEX'.
    In other words: in the database with hex encoding, the
    payload is stored like:
    474554202F636F756E742E6367693F69643D33343133373020485454502F312E300D0A557365722D4167656E743A204D6F7A696C6C612F352E3020285831313B20553B204C696E757820693638363B20656E2D55533B2072763A312E322E3129204765636B6F2F32303033303232350D0A4163636570742D4C616E67756167653A20656E2D75732C20656E3B713D302E35300D0A4163636570742D456E636F64696E673A20677A69702C206465666C6174652C20636F6D70726573733B713D302E390D0A4163636570742D436861727365743A2049534F2D383835392D312C207574662D383B713D302E36362C202A3B713D302E36360D0A4B6565702D416C6976653A203330300D0A4163636570743A20766964656F2F782D6D6E672C696D6167652F706E672C696D6167652F6A7065672C696D6167652F6769663B713D302E322C2A2F2A3B713D302E310D0A526566657265723A20687474703A2F2F6C696E7578626572672E756F6C2E636F6D2E62722F707265766965772F3332343135302E68746D6C0D0A436F6F6B69653A20707466633D79666B690D0A5669613A20312E31207466737765623A33313238202873717569642F322E352E535441424C4531290D0A582D466F727761726465642D466F723A2031302E322E312E320D0A486F73743A20636F756E74732E7475636F77732E636F6D0D0A43616368652D436F6E74726F6C3A206D61782D6167653D3235393230300D0A436F6E6E656374696F6E3A206B6565702D616C6976650D0A0D0A

    If you set the criteria to 'http', with no conversion, it
    will search for 'http' where there's only hex chars like
    '474554202F636F756', and will not match.
    (select * from data where data_payload like '%http%')
    But if you set 'Convert-to->HEX', then it will convert your
    input criteria to '48545450' and will match.
    (select * from data where data_payload like '%48545450%')
    Not a bug.

     
  • Joel Esler
    Joel Esler
    2005-02-12

    • status: open --> closed-invalid