[Snort-users] (no subject)

Fyodor fygrave at ...121...
Thu Aug 17 08:44:52 EDT 2000


~ :Quick question about a nuisance.
~ :Sometimes I like to run tail -f on a SESSION* log produced by 
~ :snort -d -c session                                   where session has 
~ :alert tcp any any <> any any (session:all;)
~ :If you get telnet connections from windoze boxes the log has the perverbial
~ :^M  (microsofts way of saying CRLF?)

No, ^M is actually 0xd character (`CR'), the code generated when you press
enter.

The thing is that smtp, pop3 (others?) rfc says that correct lineending is
`\r\n' for the  protocol. When you are using telnet, by default it uses
`ascii' mode, so it translates all `\n' sequences into `\r\n' and
visa-versa. As far as I understand usual telnetd daemon performs the
similar interpretation as well, so it goes unnoticed.

Try to bind just a shell to a port and telnet there, you will see that it
would be complaining about ^M things at the end of each string until you
switch telnet into binary mode.

~ :When you try to tail -f a log with ^M's in it, STDERR produces:
~ :
~ :ls -l^M 
~ :bash: ls -l^M: command not found. Now is that a shortcoming of tail, bash,
~ :microsoft, or will snort be able to strip that?
~

Huh? I don't really understand what you're actually trying to do here.. if
you do `tail -f logfile' it should _NOT_ try to execute that.



~ :Another freaky thing that happens in this case is,
~ :if you tail -f  from lets say /var/log/snort  and BASH crashes with the
~ :"whatever^M:command not found", it puts you in the directory where the user
~ :is logged in ( eg /usr/home/joeblack ). The shell acts really funny at that
~ :point as well. This isnt a fault of snort obviously, its a fault of the
~ :shell.
~ :I bet you looked hard enough, you might find an exploit there.
~ :
~ :Any thoughts on stripping ^M live?

yeah.. preprocessor.. ;-)





More information about the Snort-users mailing list