[Snort-users] printable session
dr at ...50...
Fri Aug 18 20:05:45 EDT 2000
On Fri, 18 Aug 2000, Tom Whipp wrote:
> Could it be that you are seeing the 'l' character from the user and the
> response 'l' from the server to print back in the telenet client? Or are
> you seeing double characters in a single direction?
I once wasted some time on an audit with duplicated letters on a sniffed root
password off a telnet with session with snort... Once you remove the echo
duplicates, you can still get duplicate characters triggered by TCP
retranssmissions. Duplicate single characters in the snort session trace are a
common symptom particulalry when telnet is running in character per
packet mode. The solution for this will be the TCP reassembler that
Mr. Cramer is working on which will be able to note that it is a
retransmission and put the duplicated characters in the packet
in the right place.
dursec.com ltd. / kyx.net - we're from the future
pgp fingerprint: 18C7 E37C 2F94 E251 F18E B7DC 2B71 A73E D2E8 A56D
pgp key: http://www.dursec.com/drkey.asc
More information about the Snort-users