Decoding [1:2200122:1] SURICATA AF-PACKET truncated packet

DigiAngel · May 1, 2025, 2:32pm

Any way to get some information from the blob of hex included in the Raw pkt data?

Jeff_Lucovsky · May 3, 2025, 1:14pm

If you’re referring to the payload in an alert, e.g.,

  "payload": "R0VUIC9hL3RyYWNrL2pzaW5mby5hc3A/c3c9MTY4MCZzaD05NzcgSFRUUC8xLjENCkFjY2VwdDogKi8qDQpSZWZlcmVyOiBodHRwOi8vdmlldy5hdGRtdC5jb20vRFJOL2l2aWV3LzE1NTU3ODY2NS9kaXJlY3QvMDE/Y2xpY2s9DQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLXVzDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUNClVzZXItQWdlbnQ6IE1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDYuMDsgV2luZG93cyBOVCA1LjE7IFNWMTsgLk5FVCBDTFIgMS4xLjQzMjI7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy4wLjQ1MDYuMjE1MjsgLk5FVCBDTFIgMy41LjMwNzI5OyBXaW5kb3dzIExpdmUgTWVzc2VuZ2VyIDE0LjAuODA4OS4wNzI2KQ0KSG9zdDogd3d3My5zbWFydGFkc2VydmVyLmNvbQ0KQ29ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KQ29va2llOiBUZXN0SWZDb29raWVQPW9rOyBUZXN0SWZDb29raWU9b2s7IEFTUFNFU1NJT05JRFFRQkFDQlJBPU9JSE5EQkNDSENNSkhBSkFQRkRGUEtMQw0KDQo=",

You can decode this with base64 -d

$ echo  "R0VUIC9hL3RyYWNrL2pzaW5mby5hc3A/c3c9MTY4MCZzaD05NzcgSFRUUC8xLjENCkFjY2VwdDogKi8qDQpSZWZlcmVyOiBodHRwOi8vdmlldy5hdGRtdC5jb20vRFJOL2l2aWV3LzE1NTU3ODY2NS9kaXJlY3QvMDE/Y2xpY2s9DQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLXVzDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUNClVzZXItQWdlbnQ6IE1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDYuMDsgV2luZG93cyBOVCA1LjE7IFNWMTsgLk5FVCBDTFIgMS4xLjQzMjI7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy4wLjQ1MDYuMjE1MjsgLk5FVCBDTFIgMy41LjMwNzI5OyBXaW5kb3dzIExpdmUgTWVzc2VuZ2VyIDE0LjAuODA4OS4wNzI2KQ0KSG9zdDogd3d3My5zbWFydGFkc2VydmVyLmNvbQ0KQ29ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KQ29va2llOiBUZXN0SWZDb29raWVQPW9rOyBUZXN0SWZDb29raWU9b2s7IEFTUFNFU1NJT05JRFFRQkFDQlJBPU9JSE5EQkNDSENNSkhBSkFQRkRGUEtMQw0KDQo=" | base64 -d
GET /a/track/jsinfo.asp?sw=1680&sh=977 HTTP/1.1
Accept: */*
Referer: http://view.atdmt.com/DRN/iview/155578665/direct/01?click=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Windows Live Messenger 14.0.8089.0726)
Host: www3.smartadserver.com
Connection: Keep-Alive
Cookie: TestIfCookieP=ok; TestIfCookie=ok; ASPSESSIONIDQQBACBRA=OIHNDBCCHCMJHAJAPFDFPKLC

DigiAngel · May 5, 2025, 6:38pm

In this case, there is no real payload..it’s just a small bit of hex bytes as packet is truncated. Hoping to glean a MAC at least or something I can look at.

ish · May 5, 2025, 6:45pm

What version of Suricata, and are you using AF_PACKET? Could be that AF_PACKET is truncating the packets. If on 7.0.10 though, you should also see this alert if that was the case:

SURICATA AF-PACKET truncated packet

DigiAngel · May 5, 2025, 6:56pm

Aye 7.0.10, and yes, using af-packet I’m not sure…that’s why I’m asking here…I see about 35 hex bytes in the alerts and was wondering if I could get any info from them.

ish · May 5, 2025, 9:49pm

Some tools make it easy to convert his payload to a PCAP to see what it is, like my EveBox. For me when I get these they are almost always Wireguard traffic. idstools also has an eve2pcap converter, but I can’t say that I’ve tried that in many years. Other options might be as Jeff, suggested, but maybe to hex and pick a part the header manually?

DigiAngel · May 7, 2025, 2:37pm

Thank you much…just what I needed.

DigiAngel · May 7, 2025, 2:43pm

So the process is to take the base64 blob → convert to hexdump (hello cyberchef) → save to file, then import hexdump into wireshark. Thanks all!