[Snort-users] printable session

Dragos Ruiu dr at ...50...
Fri Aug 18 20:05:45 EDT 2000


On Fri, 18 Aug 2000, Tom Whipp wrote:
> Could it be that you are seeing the 'l' character from the user and the
> response 'l' from the server to print back in the telenet client?  Or are
> you seeing double characters in a single direction?

I once wasted some time on an audit with duplicated letters on a sniffed root
password off a telnet with session with snort...  Once you remove the echo
duplicates, you can still get duplicate characters triggered by TCP
retranssmissions. Duplicate single characters in the snort session trace are a
common symptom particulalry when telnet is running in character per 
packet mode. The solution for this will be the TCP reassembler that 
Mr. Cramer is working on which will be able to note that it is a
retransmission and put the duplicated characters in the packet 
in the right place. 

cheers,
--dr
 
-- 
dursec.com ltd. / kyx.net - we're from the future
pgp fingerprint: 18C7 E37C 2F94 E251 F18E  B7DC 2B71 A73E D2E8 A56D 
pgp key: http://www.dursec.com/drkey.asc




More information about the Snort-users mailing list