How do I decrypt the <suppresspassthru>tag in <snortglobal><supress>section</supress></snortglobal></suppresspassthru>



  • Hey, folks;

    I am having to rebuild my config from scratch after upgrading to v2.2.1.  I'm not sure what went wrong, but the config would not load correctly.  At any rate, I'm using the backed up config.xml file as a reference.  In my Snort configuration, I had two suppress lists configured.  When I see them in the config.xml (the <suppresspassthru>tag), they seem to be encrypted.  How do I turn that back into plain text so I can rebuild the lists I had?

    Thank you</suppresspassthru>



  • They are simply Base64 encoded.  You can use one of several online tools to convert the string from encoded Base64 to plaintext. Here is one site I found using a quick Google search:  http://www.motobit.com/util/base64-decoder-encoder.asp.

    The string is Base64 encoded to avoid issues with any XML reserved characters.  You can copy it literally as-is from one config.xml to the other, or if you want to decode it and paste the plaintext into a new Snort GUI window, then use an online Base64 tool like the one I referenced.

    Bill


Log in to reply