[Snort-users] (no subject)

Robert.Buckley2 at ...249... Robert.Buckley2 at ...249...
Thu Aug 17 07:52:29 EDT 2000


Hey snorters,
Quick question about a nuisance.
Sometimes I like to run tail -f on a SESSION* log produced by 
snort -d -c session                                   where session has 
alert tcp any any <> any any (session:all;)
If you get telnet connections from windoze boxes the log has the perverbial
^M  (microsofts way of saying CRLF?)
When you try to tail -f a log with ^M's in it, STDERR produces:

ls -l^M 
bash: ls -l^M: command not found. Now is that a shortcoming of tail, bash,
microsoft, or will snort be able to strip that?

I could do a   perl -p -i -e 's/^M/ /g' SESSIONFILE, but it wouldnt help on
a tail -f since its live.

Another freaky thing that happens in this case is,
if you tail -f  from lets say /var/log/snort  and BASH crashes with the
"whatever^M:command not found", it puts you in the directory where the user
is logged in ( eg /usr/home/joeblack ). The shell acts really funny at that
point as well. This isnt a fault of snort obviously, its a fault of the
shell.
I bet you looked hard enough, you might find an exploit there.

Any thoughts on stripping ^M live?









More information about the Snort-users mailing list