[Snort-users] Snort not catching /bin/sh

Thomas Whipp tkw at ...1885...
Thu Oct 11 01:12:05 EDT 2001


might be a silly question but are you sure both contents
where in the same packet when you tested - if they where
split accross two packets then this rule would not match
them.
 
    Tom

-----Original Message-----
From: Barnes, Ross P ERDC-ITL-MS Contractor
[mailto:Ross.P.Barnes at ...3768...]
Sent: 10 October 2001 22:26
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] Snort not catching /bin/sh



Hello all, 

        I am running Snort 1.8 on a box with another IDS to
monitor traffic(no packet loss on either IDS). We have been
catching some telnetd buffer overflow attempts on the other
IDS with the signature content being /bin/sh, but not on
Snort. Both IDS are on the same box seeing the same traffic.
In the telnet.rules file, the corresponding rule that should
pick it up is

alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET SGI
telnetd format bug" 
; flags: A+; content:"_RLD";
content:"/bin/sh";reference:arachnids,304;) 

        Immediately, I thought that looked odd to have two
contents. I took out the content:"_RLD" and it still did not
show up as I attempted to hack a system while the other IDS
caught it. I then took out the content:"/bin/sh" and it
worked off the "_RLD" content. Now, both strings are in the
packet payload so why is Snort not picking up something as
clear as /bin/sh? Any help is greatly appreciated.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011011/44b8a241/attachment.html>


More information about the Snort-users mailing list