[Snort-users] Snort not catching /bin/sh
tkw at ...1885...
Thu Oct 11 01:12:05 EDT 2001
might be a silly question but are you sure both contents
where in the same packet when you tested - if they where
split accross two packets then this rule would not match
From: Barnes, Ross P ERDC-ITL-MS Contractor
[mailto:Ross.P.Barnes at ...3768...]
Sent: 10 October 2001 22:26
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] Snort not catching /bin/sh
I am running Snort 1.8 on a box with another IDS to
monitor traffic(no packet loss on either IDS). We have been
catching some telnetd buffer overflow attempts on the other
IDS with the signature content being /bin/sh, but not on
Snort. Both IDS are on the same box seeing the same traffic.
In the telnet.rules file, the corresponding rule that should
pick it up is
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET SGI
telnetd format bug"
; flags: A+; content:"_RLD";
Immediately, I thought that looked odd to have two
contents. I took out the content:"_RLD" and it still did not
show up as I attempted to hack a system while the other IDS
caught it. I then took out the content:"/bin/sh" and it
worked off the "_RLD" content. Now, both strings are in the
packet payload so why is Snort not picking up something as
clear as /bin/sh? Any help is greatly appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users