[Snort-users] Snort not catching /bin/sh

Barnes, Ross P ERDC-ITL-MS Contractor Ross.P.Barnes at ...3768...
Wed Oct 10 14:28:10 EDT 2001

Hello all,

	I am running Snort 1.8 on a box with another IDS to monitor
traffic(no packet loss on either IDS). We have been catching some telnetd
buffer overflow attempts on the other IDS with the signature content being
/bin/sh, but not on Snort. Both IDS are on the same box seeing the same
traffic. In the telnet.rules file, the corresponding rule that should pick
it up is

alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET SGI telnetd format
; flags: A+; content:"_RLD"; content:"/bin/sh";reference:arachnids,304;)

	Immediately, I thought that looked odd to have two contents. I took
out the content:"_RLD" and it still did not show up as I attempted to hack a
system while the other IDS caught it. I then took out the content:"/bin/sh"
and it worked off the "_RLD" content. Now, both strings are in the packet
payload so why is Snort not picking up something as clear as /bin/sh? Any
help is greatly appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011010/6dd07ad1/attachment.html>

More information about the Snort-users mailing list