Snort mailing list archives
Snort not catching /bin/sh
From: "Barnes, Ross P ERDC-ITL-MS Contractor" <Ross.P.Barnes () erdc usace army mil>
Date: Wed, 10 Oct 2001 16:26:11 -0500
Hello all, I am running Snort 1.8 on a box with another IDS to monitor traffic(no packet loss on either IDS). We have been catching some telnetd buffer overflow attempts on the other IDS with the signature content being /bin/sh, but not on Snort. Both IDS are on the same box seeing the same traffic. In the telnet.rules file, the corresponding rule that should pick it up is alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET SGI telnetd format bug" ; flags: A+; content:"_RLD"; content:"/bin/sh";reference:arachnids,304;) Immediately, I thought that looked odd to have two contents. I took out the content:"_RLD" and it still did not show up as I attempted to hack a system while the other IDS caught it. I then took out the content:"/bin/sh" and it worked off the "_RLD" content. Now, both strings are in the packet payload so why is Snort not picking up something as clear as /bin/sh? Any help is greatly appreciated.
Current thread:
- Snort not catching /bin/sh Barnes, Ross P ERDC-ITL-MS Contractor (Oct 10)
- <Possible follow-ups>
- RE: Snort not catching /bin/sh Thomas Whipp (Oct 11)
- RE: Snort not catching /bin/sh Barnes, Ross P ERDC-ITL-MS Contractor (Oct 11)