1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220
|
Written while I was suffering Kaspersky etc., intended to turn into a
doc. for anyone writing extra scanner support - "if you don't follow
these guidelines we're not likely to be able to use your code":
* Tips for writing scanner support:
* "print STDERR $line" is your friend.
* Always parse *every* line of output from the scanner, and
die if you don't understand it.
* Be *extremely* anal when writing regexps, especially with
quantities of whitespace.
* Only use wildcards to match the filename part of the output,
*never* to match whitespace or boilerplate text (think about
what might happen if the filename has a trailing <space> character).
* At least one scanner prints "<cr><space>...<space><cr>"
before outputting its results -- be *sure* what the scanner's
output format really is.
* Be sure that you know how your scanner reports infections
within archives; they can easily be mis-parsed.
* Use comments to document any oddities that could confuse
your parser; that way we might be able to ensure that they
don't happen in future.
* Use comments to document the output format you are expecting
from the scanner so that when it changes, debugging is quicker.
* Watch out for scanners reporting different categories of Bad
Thing - e.g. "Joke Program", "Trojan", "Virus", "Worm"... it
is a good idea to run "strings" over a core dump from the scanner
to get clues as to what may be reported if you're not sure.
check_mailscanner:
OpenBSD 2.7:
ps axww (ps -axww)
NOT POSIX-COMPLIANT
ps -ef returns false and outputs only to STDERR
`uname` = OpenBSD
`uname -a` = OpenBSD <hostname> V.v GENERIC#25 i386
FreeBSD:
ps -ef supported according to manpage, but requires root for -f, and -e means
something else (print environment).
uses ww for v. wide.
use ps -axww
has grep -F and fgrep
<BlindMan> COLUMNS doesn't have a effect
<nwp> thought not :(
<BlindMan> ps -ef
<BlindMan> PID TT STAT TIME COMMAND
<BlindMan> 22891 p2 Ss 0:00.13 PATH=/root/bin:/bin:/usr/bin:/usr/local/bin:/usr/X11R
<BlindMan> 22893 p2 R+ 0:00.00 PWD=/root PAGER=less FTP_PASSIVE_MODE=YES HOSTNAME=ta
<BlindMan> 227 v0 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv0
<BlindMan> 228 v1 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv1
<BlindMan> 229 v2 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv2
<BlindMan> 230 v3 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv3
<BlindMan> 231 v4 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv4
<BlindMan> 232 v5 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv5
<BlindMan> 233 v6 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv6
<BlindMan> 234 v7 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv7
<BlindMan> COLUMNS=500 ps -ef
<BlindMan> PID TT STAT TIME COMMAND
<BlindMan> 22891 p2 Ss 0:00.14 PATH=/root/bin:/bin:/usr/bin:/usr/local/bin:/usr/X11R
<BlindMan> 22894 p2 R+ 0:00.00 PWD=/root PAGER=less FTP_PASSIVE_MODE=YES HOSTNAME=ta
<BlindMan> 227 v0 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv0
<BlindMan> 228 v1 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv1
<BlindMan> 229 v2 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv2
<BlindMan> 230 v3 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv3
<BlindMan> 231 v4 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv4
<BlindMan> 232 v5 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv5
<BlindMan> 233 v6 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv6
<BlindMan> 234 v7 Is+ 0:00.02 TERM=cons25 /usr/libexec/getty Pc ttyv7
<BlindMan> ps -axww
<BlindMan> PID TT STAT TIME COMMAND
<BlindMan> 0 ?? DLs 0:00.59 (swapper)
<BlindMan> 1 ?? ILs 0:00.05 /sbin/init --
<BlindMan> 2 ?? DL 0:01.57 (pagedaemon)
<BlindMan> 3 ?? DL 0:00.00 (vmdaemon)
<BlindMan> 4 ?? DL 0:07.65 (bufdaemon)
<BlindMan> 5 ?? DL 2:48.93 (syncer)
<BlindMan> 29 ?? Is 0:00.00 adjkerntz -i
<BlindMan> 100 ?? Is 0:04.39 /sbin/dhclient ed0
<BlindMan> 133 ?? Ss 16:46.57 /sbin/natd -n ed0
<BlindMan> 149 ?? Ss 0:08.75 syslogd
<BlindMan> 169 ?? Is 0:00.00 inetd -wW
<BlindMan> 171 ?? Is 0:12.01 cron
<BlindMan> 174 ?? Is 0:52.79 /usr/sbin/sshd
<BlindMan> 223 ?? Is 0:02.13 /usr/local/sbin/sendfiled -Q
<BlindMan> 22794 p0 Is 0:00.11 -bash (bash)
<BlindMan> 22795 p0 S+ 0:02.89 ssh davinci
<BlindMan> 22829 p1 Ss 0:00.21 -bash (bash)
<BlindMan> 22892 p1 DN+ 0:01.20 find -f /
<BlindMan> 22891 p2 Rs 0:00.15 -bash (bash)
<BlindMan> 22895 p2 R+ 0:00.00 ps -axww
<BlindMan> 227 v0 Is+ 0:00.02 /usr/libexec/getty Pc ttyv0
<BlindMan> 228 v1 Is+ 0:00.02 /usr/libexec/getty Pc ttyv1
<BlindMan> 229 v2 Is+ 0:00.02 /usr/libexec/getty Pc ttyv2
<BlindMan> 230 v3 Is+ 0:00.02 /usr/libexec/getty Pc ttyv3
<BlindMan> 231 v4 Is+ 0:00.02 /usr/libexec/getty Pc ttyv4
<BlindMan> 232 v5 Is+ 0:00.02 /usr/libexec/getty Pc ttyv5
<BlindMan> 233 v6 Is+ 0:00.02 /usr/libexec/getty Pc ttyv6
<BlindMan> 234 v7 Is+ 0:00.02 /usr/libexec/getty Pc ttyv7
<BlindMan> so
<BlindMan> anything else?
<nwp> `uname` and `uname -a`??
<BlindMan> why the latter?
<nwp> just in case it changes behaviour at some point.
<BlindMan> it's an older fbsd one
<BlindMan> 4.2-STABLE
<BlindMan> as of feb 2001
<nwp> uh-huh
<BlindMan> maybe i find a newer one
<BlindMan> let's see
<nwp> no prob if it's old, just so that I know where the ps output came from
<BlindMan> FreeBSD 4.2-STABLE
<BlindMan> from about feb 2001
<nwp> is that what uname -a gives?
<nwp> and uname just gives 'FreeBSD'?
<BlindMan> yes
<BlindMan> it's freebsd
<nwp> oh, no caps?
<BlindMan> believe me, i know what's running on my computers ;)
<BlindMan> FreeBSD
<nwp> right. That's great. Thanks very much.
<BlindMan> FreeBSD taffarel 4.2-STABLE FreeBSD 4.2-STABLE
<BlindMan> np
<BlindMan> what are you doing with it?
<BlindMan> just curoius :)
<nwp> oh, hang on what was 'FreeBSD taffarel 4.2-STABLE FreeBSD 4.2-STABLE' - looks like two concatenated?
<BlindMan> bash-2.03$ uname -a
<BlindMan> FreeBSD taffarel 4.2-STABLE FreeBSD 4.2-STABLE #1: Thu Feb 22 21:06:42 CET 2001 root@taffarel:/usr/obj/usr/src/sys/TAFFAREL i386
<BlindMan> now oyu see the whole :P
<nwp> still looks odd - where'd the "root@tafferel" come from?
<nwp> but that whole line is really what it says?
<BlindMan> that's just saying who/where/what kernel config files the kernel was built with
<nwp> cool.
<BlindMan> s/files/file/
<nwp> I'm just trying to tidy up a script that goes with mailscanner, and autoconf-ing it. uses ps to try to find the mailscanner process... previously there were 3 different versions.
<nwp> most things do POSIX, but OpenBSD and FreeBSD (and I guess NetBSD) don't.
<nwp> Unfortunately FreeBSD accepts the POSIX options, so I will have to grep `uname` for BSD and work off that II guess.
<BlindMan> i c
POSIX (Solaris, HPUX, Debian...):
uses COLUMNS, truncates at 80 cols otherwise.
ps -ef
-e == every process -f == full listing (adds path + args)
(no output to STDERR)
grep -F is POSIX; fgrep is not.
ww for ps is NOT POSIX
Tru64:
output from mjb
lorien# ps -ef | head -1
UID PID PPID C STIME TTY TIME CMD
lorien# ps -ef | tail -4
root 8484 25049 0.0 Apr 18 ttyp1 0:00.98 -ksh (ksh)
root 14696 8484 0.0 15:19:57 ttyp1 0:00.01 tail -4
obelix 25049 25548 0.0 Apr 18 ttyp1 0:00.15 -ksh (ksh)
root 25235 8484 0.0 15:19:57 ttyp1 0:00.09 ps -ef
ps -ef appears not to provide full path. *shrug*... now it does...
<||> $ ps -ef | head -4
<||> UID PID PPID C STIME TTY TIME CMD
<||> root 0 0 0.8 Nov 24 ?? 1-15:50:14 [kernel idle]
<||> root 1 0 0.0 Nov 24 ?? 30:26.36 /sbin/init -a
<||> root 3 1 0.0 Nov 24 ?? 0:47.17 /sbin/kloadsrv
<||> $ COLUMNS=500 ps -ef | head -4
<||> UID PID PPID C STIME TTY TIME CMD
<||> root 0 0 0.9 Nov 24 ?? 1-15:50:14 [kernel idle]
<||> root 1 0 0.0 Nov 24 ?? 30:26.36 /sbin/init -a
<||> root 3 1 0.0 Nov 24 ?? 0:47.17 /sbin/kloadsrv
<||> $ ps axww | head -4
<||> PID TTY S TIME CMD
<||> 0 ?? R < 1-15:50:14 [kernel idle]
<||> 1 ?? S 30:26.36 /sbin/init -a
<||> 3 ?? I 0:47.17 /sbin/kloadsrv
has fgrep
has grep -F
sunos4.1.1 -> "sunos", AIX 4.3.3 -> "aix", IRIX 6.5.13 -> "irix"
nwp: sunos4 is bsd (ps aux), AIX is both (ps aux and -ef), IRIX is sysv (-ef)
<nwp> I'll trust AIX to be POSIX and obey COLUMNS...
<nwp> what does 'uname' give on SunOS4/AIX/IRIX?
<Stric> SunOS/AIX/IRIX
<Stric> nwp: At 80 chars of command line argument.. (not 80 screenwidth)
<nwp> Stric: IRIX yuk.
<Stric> -w Use a wide output format (132 columns rather than 80);
<Stric> if repeated, that is, -ww, use arbitrarily wide output.
<Stric> SunOS4
<Stric> ps on AIX gives full width if no tty (when using sysv arguments)
IRIX ps man page has no indication of how to get wide output.
CPAN:
File::Lock *does* do fcntl
File::lockf is no good (not guaranteed to interact)
Mail::Box::Locker is no good on BSD from the look of it (assumes can pack "s @256", locktype)
Trying File::Lock...
File::Lock doesn't build, appears to be unmaintained.
*******************
|