I'm running Snort which detects some P2P activity, specifically the BitTorrent announce request. I see the HTTP GET /announce.php?info_hash=XXX... request and I'm trying to convert this XXX into a proper SHA1 hash to try and get an idea of what is being downloaded.
I've read various things that say this is URL encoded, and others that say just remove the % character - however I am unable to reproduce this.
Can anyone suggest how to do this?
info_hash is an SHA1 hash. It's a binary hash, URL-encoded for inclusion in a URL.
If you want to turn it into a hex-encoded hash, you will need to extract it from the URL, URL-decode, and hex-encode. For example in Python:
>>> '%00%01%02%20%25ABC+XYZabc%7F%80%81%FE%FF'
'%00%01%02%20%25ABC+XYZabc%7F%80%81%FE%FF'
>>> urllib.unquote_plus(_)
'\x00\x01\x02 %ABC XYZabc\x7f\x80\x81\xfe\xff'
>>> _.encode('hex')
'00010220254142432058595a6162637f8081feff'