[Snort-users] (no subject)
fygrave at ...121...
Thu Aug 17 08:44:52 EDT 2000
~ :Quick question about a nuisance.
~ :Sometimes I like to run tail -f on a SESSION* log produced by
~ :snort -d -c session where session has
~ :alert tcp any any <> any any (session:all;)
~ :If you get telnet connections from windoze boxes the log has the perverbial
~ :^M (microsofts way of saying CRLF?)
No, ^M is actually 0xd character (`CR'), the code generated when you press
The thing is that smtp, pop3 (others?) rfc says that correct lineending is
`\r\n' for the protocol. When you are using telnet, by default it uses
`ascii' mode, so it translates all `\n' sequences into `\r\n' and
visa-versa. As far as I understand usual telnetd daemon performs the
similar interpretation as well, so it goes unnoticed.
Try to bind just a shell to a port and telnet there, you will see that it
would be complaining about ^M things at the end of each string until you
switch telnet into binary mode.
~ :When you try to tail -f a log with ^M's in it, STDERR produces:
~ :ls -l^M
~ :bash: ls -l^M: command not found. Now is that a shortcoming of tail, bash,
~ :microsoft, or will snort be able to strip that?
Huh? I don't really understand what you're actually trying to do here.. if
you do `tail -f logfile' it should _NOT_ try to execute that.
~ :Another freaky thing that happens in this case is,
~ :if you tail -f from lets say /var/log/snort and BASH crashes with the
~ :"whatever^M:command not found", it puts you in the directory where the user
~ :is logged in ( eg /usr/home/joeblack ). The shell acts really funny at that
~ :point as well. This isnt a fault of snort obviously, its a fault of the
~ :I bet you looked hard enough, you might find an exploit there.
~ :Any thoughts on stripping ^M live?
yeah.. preprocessor.. ;-)
More information about the Snort-users