1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
|
Written while I was suffering Kaspersky etc., intended to turn into a
doc. for anyone writing extra scanner support - "if you don't follow
these guidelines we're not likely to be able to use your code":
* Tips for writing scanner support:
* "print STDERR $line" is your friend.
* Always parse *every* line of output from the scanner, and
die if you don't understand it.
* Be *extremely* anal when writing regexps, especially with
quantities of whitespace.
* Only use wildcards to match the filename part of the output,
*never* to match whitespace or boilerplate text (think about
what might happen if the filename has a trailing <space> character).
* At least one scanner prints "<cr><space>...<space><cr>"
before outputting its results -- be *sure* what the scanner's
output format really is.
* Be sure that you know how your scanner reports infections
within archives; they can easily be mis-parsed.
* Use comments to document any oddities that could confuse
your parser; that way we might be able to ensure that they
don't happen in future.
* Use comments to document the output format you are expecting
from the scanner so that when it changes, debugging is quicker.
* Watch out for scanners reporting different categories of Bad
Thing - e.g. "Joke Program", "Trojan", "Virus", "Worm"... it
is a good idea to run "strings" over a core dump from the scanner
to get clues as to what may be reported if you're not sure.
check_mailscanner:
OpenBSD 2.7:
ps axww (ps -axww)
NOT POSIX-COMPLIANT
ps -ef returns false and outputs only to STDERR
`uname` = OpenBSD
`uname -a` = OpenBSD <hostname> V.v GENERIC#25 i386
FreeBSD:
ps -ef supported according to manpage, but requires root for -f, and -e means
something else (print environment).
uses ww for v. wide.
use ps -axww
has grep -F and fgrep
<BlindMan> COLUMNS doesn't have a effect
<nwp> thought not :(
<BlindMan> ps -ef
<BlindMan> PID TT STAT TIME COMMAND
<BlindMan> 22891 p2 Ss 0:00.13 PATH=/root/bin:/bin:/usr/bin:/usr/local/bin:/usr/X11R
<BlindMan> 22893 p2 R+ 0:00.00 PWD=/root PAGER=less FTP_PASSIVE_MODE=YES HOSTNAME=ta
<BlindMan> 227 v0 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv0
<BlindMan> 228 v1 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv1
<BlindMan> 229 v2 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv2
<BlindMan> 230 v3 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv3
<BlindMan> 231 v4 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv4
<BlindMan> 232 v5 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv5
<BlindMan> 233 v6 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv6
<BlindMan> 234 v7 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv7
<BlindMan> COLUMNS=500 ps -ef
<BlindMan> PID TT STAT TIME COMMAND
<BlindMan> 22891 p2 Ss 0:00.14 PATH=/root/bin:/bin:/usr/bin:/usr/local/bin:/usr/X11R
<BlindMan> 22894 p2 R+ 0:00.00 PWD=/root PAGER=less FTP_PASSIVE_MODE=YES HOSTNAME=ta
<BlindMan> 227 v0 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv0
<BlindMan> 228 v1 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv1
<BlindMan> 229 v2 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv2
<BlindMan> 230 v3 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv3
<BlindMan> 231 v4 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv4
<BlindMan> 232 v5 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv5
<BlindMan> 233 v6 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv6
<BlindMan> 234 v7 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv7
<BlindMan> ps -axww
<BlindMan> PID TT STAT TIME COMMAND
<BlindMan> 0 ?? DLs 0:00.59 (swapper)
<BlindMan> 1 ?? ILs 0:00.05 /sbin/init --
<BlindMan> 2 ?? DL 0:01.57 (pagedaemon)
<BlindMan> 3 ?? DL 0:00.00 (vmdaemon)
<BlindMan> 4 ?? DL 0:07.65 (bufdaemon)
<BlindMan> 5 ?? DL 2:48.93 (syncer)
<BlindMan> 29 ?? Is 0:00.00 adjkerntz -i
<BlindMan> 100 ?? Is 0:04.39 /sbin/dhclient ed0
<BlindMan> 133 ?? Ss 16:46.57 /sbin/natd -n ed0
<BlindMan> 149 ?? Ss 0:08.75 syslogd
<BlindMan> 169 ?? Is 0:00.00 inetd -wW
<BlindMan> 171 ?? Is 0:12.01 cron
<BlindMan> 174 ?? Is 0:52.79 /usr/sbin/sshd
<BlindMan> 223 ?? Is 0:02.13 /usr/local/sbin/sendfiled -Q
<BlindMan> 22794 p0 Is 0:00.11 -bash (bash)
<BlindMan> 22795 p0 S+ 0:02.89 ssh davinci
<BlindMan> 22829 p1 Ss 0:00.21 -bash (bash)
<BlindMan> 22892 p1 DN+ 0:01.20 find -f /
<BlindMan> 22891 p2 Rs 0:00.15 -bash (bash)
<BlindMan> 22895 p2 R+ 0:00.00 ps -axww
<BlindMan> 227 v0 Is+ 0:00.02 /usr/libexec/getty Pc ttyv0
<BlindMan> 228 v1 Is+ 0:00.02 /usr/libexec/getty Pc ttyv1
<BlindMan> 229 v2 Is+ 0:00.02 /usr/libexec/getty Pc ttyv2
<BlindMan> 230 v3 Is+ 0:00.02 /usr/libexec/getty Pc ttyv3
<BlindMan> 231 v4 Is+ 0:00.02 /usr/libexec/getty Pc ttyv4
<BlindMan> 232 v5 Is+ 0:00.02 /usr/libexec/getty Pc ttyv5
<BlindMan> 233 v6 Is+ 0:00.02 /usr/libexec/getty Pc ttyv6
<BlindMan> 234 v7 Is+ 0:00.02 /usr/libexec/getty Pc ttyv7
<BlindMan> so
<BlindMan> anything else?
<nwp> `uname` and `uname -a`??
<BlindMan> why the latter?
<nwp> just in case it changes behaviour at some point.
<BlindMan> it's an older fbsd one
<BlindMan> 4.2-STABLE
<BlindMan> as of feb 2001
<nwp> uh-huh
<BlindMan> maybe i find a newer one
<BlindMan> let's see
<nwp> no prob if it's old, just so that I know where the ps output came from
<BlindMan> FreeBSD 4.2-STABLE
<BlindMan> from about feb 2001
<nwp> is that what uname -a gives?
<nwp> and uname just gives 'FreeBSD'?
<BlindMan> yes
<BlindMan> it's freebsd
<nwp> oh, no caps?
<BlindMan> believe me, i know what's running on my computers ;)
<BlindMan> FreeBSD
<nwp> right. That's great. Thanks very much.
<BlindMan> FreeBSD taffarel 4.2-STABLE FreeBSD 4.2-STABLE
<BlindMan> np
<BlindMan> what are you doing with it?
<BlindMan> just curoius :)
<nwp> oh, hang on what was 'FreeBSD taffarel 4.2-STABLE FreeBSD 4.2-STABLE' - looks like two concatenated?
<BlindMan> bash-2.03$ uname -a
<BlindMan> FreeBSD taffarel 4.2-STABLE FreeBSD 4.2-STABLE #1: Thu Feb 22 21:06:42 CET 2001 root@taffarel:/usr/obj/usr/src/sys/TAFFAREL i386
<BlindMan> now oyu see the whole :P
<nwp> still looks odd - where'd the "root@tafferel" come from?
<nwp> but that whole line is really what it says?
<BlindMan> that's just saying who/where/what kernel config files the kernel was built with
<nwp> cool.
<BlindMan> s/files/file/
<nwp> I'm just trying to tidy up a script that goes with mailscanner, and autoconf-ing it. uses ps to try to find the mailscanner process... previously there were 3 different versions.
<nwp> most things do POSIX, but OpenBSD and FreeBSD (and I guess NetBSD) don't.
<nwp> Unfortunately FreeBSD accepts the POSIX options, so I will have to grep `uname` for BSD and work off that II guess.
<BlindMan> i c
POSIX (Solaris, HPUX, Debian...):
uses COLUMNS, truncates at 80 cols otherwise.
ps -ef
-e == every process -f == full listing (adds path + args)
(no output to STDERR)
grep -F is POSIX; fgrep is not.
ww for ps is NOT POSIX
Tru64:
output from mjb
lorien# ps -ef | head -1
UID PID PPID C STIME TTY TIME CMD
lorien# ps -ef | tail -4
root 8484 25049 0.0 Apr 18 ttyp1 0:00.98 -ksh (ksh)
root 14696 8484 0.0 15:19:57 ttyp1 0:00.01 tail -4
obelix 25049 25548 0.0 Apr 18 ttyp1 0:00.15 -ksh (ksh)
root 25235 8484 0.0 15:19:57 ttyp1 0:00.09 ps -ef
ps -ef appears not to provide full path. *shrug*... now it does...
<||> $ ps -ef | head -4
<||> UID PID PPID C STIME TTY TIME CMD
<||> root 0 0 0.8 Nov 24 ?? 1-15:50:14 [kernel idle]
<||> root 1 0 0.0 Nov 24 ?? 30:26.36 /sbin/init -a
<||> root 3 1 0.0 Nov 24 ?? 0:47.17 /sbin/kloadsrv
<||> $ COLUMNS=500 ps -ef | head -4
<||> UID PID PPID C STIME TTY TIME CMD
<||> root 0 0 0.9 Nov 24 ?? 1-15:50:14 [kernel idle]
<||> root 1 0 0.0 Nov 24 ?? 30:26.36 /sbin/init -a
<||> root 3 1 0.0 Nov 24 ?? 0:47.17 /sbin/kloadsrv
<||> $ ps axww | head -4
<||> PID TTY S TIME CMD
<||> 0 ?? R < 1-15:50:14 [kernel idle]
<||> 1 ?? S 30:26.36 /sbin/init -a
<||> 3 ?? I 0:47.17 /sbin/kloadsrv
has fgrep
has grep -F
sunos4.1.1 -> "sunos", AIX 4.3.3 -> "aix", IRIX 6.5.13 -> "irix"
nwp: sunos4 is bsd (ps aux), AIX is both (ps aux and -ef), IRIX is sysv (-ef)
<nwp> I'll trust AIX to be POSIX and obey COLUMNS...
<nwp> what does 'uname' give on SunOS4/AIX/IRIX?
<Stric> SunOS/AIX/IRIX
<Stric> nwp: At 80 chars of command line argument.. (not 80 screenwidth)
<nwp> Stric: IRIX yuk.
<Stric> -w Use a wide output format (132 columns rather than 80);
<Stric> if repeated, that is, -ww, use arbitrarily wide output.
<Stric> SunOS4
<Stric> ps on AIX gives full width if no tty (when using sysv arguments)
IRIX ps man page has no indication of how to get wide output.
CPAN:
File::Lock *does* do fcntl
File::lockf is no good (not guaranteed to interact)
Mail::Box::Locker is no good on BSD from the look of it (assumes can pack "s @256", locktype)
Trying File::Lock...
File::Lock doesn't build, appears to be unmaintained.
*******************
|
